The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Disable features on demo account

Discussion in 'Security' started by CoreISP.net, Jan 25, 2011.

  1. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    Hi,

    by default, some functions in demo mode are fortunately disabled.
    However, it turns out that the demo user is allowed to send as many emails as allowed.
    So if you give out demo account credentials and the user turns out to be malicious, he/she can happily abuse your server for sending out loads of spam by using the webmail client(s).
    This is a security issue to me.

    How to disable this function in demo mode? :)
     
  2. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    I thinks you need to limit the quota inorder to limit sending mails. Mails sent from a domain/hour can be also limited. So there is no worry on abuse!
     
  3. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    It is highly limited, but even with 1MB on quota, you can send out hundreds of emails in plain text.
    The mails sent from a domain/hour can be limited individiually (I'm deffinetely not going to set a global rule just for a demo account...) from the CSM if I am not mistaken, however: I'd rather disable the feature completely.

    This, however, seems to be a flaw. A ticket is running with cPanel and according to their first reply, it should not even be possible to use the mail functions in demo mode.
     
    #3 CoreISP.net, Jan 26, 2011
    Last edited: Jan 26, 2011
  4. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    Okay. Keep posting on this thread with techs updates.
     
  5. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    I will :) Thanks for thinking!
     
  6. LinuxTechie

    LinuxTechie Well-Known Member

    Joined:
    Jan 22, 2011
    Messages:
    502
    Likes Received:
    2
    Trophy Points:
    18
    cPanel Access Level:
    Root Administrator
    Hello,

    Okaies and you are welcome!
     
  7. CoreISP.net

    CoreISP.net Active Member

    Joined:
    May 25, 2006
    Messages:
    43
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    DataCenter Provider
    This is still being worked on. The cPanel technicians have been very helpfull and are doing their best at analyzing the problem.

    It's a rather bizarre situation. In the demo account, it is impossible to login to SMTP, POP3 and IMAP to send email. When you send a email from webmail in demo mode, you see a error instantly.
    Now the odd part: This has not prevented a spammer to abuse the demo account to mass spam...
    The sent items on the IMAP server happily show all the spam mail sent from the demo account aswell.

    Unfortunately, it's very hard to trace it back and to find out what has been used and in which way to get this done. We are all rather baffled as on one hand it is impossible and yet on the other it seems very possible... Yet, we are unable to reproduce it. :|

    It seems Horde is being used for it. Perhaps something that connects to Horde.
    Any suggestions for me and the cPanel guys that are looking at it are of course welcome.
     
Loading...

Share This Page