The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Discarding all Outgoing Email without a Specific Subject Line

Discussion in 'E-mail Discussions' started by Glowball, Mar 28, 2008.

  1. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I'm a Web Developer but I'm also in charge of configuring CPanel. I really don't know what I'm doing when it comes to system administration or email administration, so I'm pretty clueless when it comes to solving this issue. I don't have direct access to the email logs but I can ask for bits of them if necessary. My Web host has said that my domain is sending out a lot of spam and I'm hoping to stop it.

    This Web site represents a small division in a large company. There is one "Contact Us" Web form that needs to send a "thank you" email to whoever uses it as well as send the information to Customer Service. This is the only email that should pass through this domain.

    So that means I know the subject lines of all non-spam email. Would the best approach be to use CPanel's Email Filter and a regular expression to discard all email that does NOT contain the exact subject line? I'm going on the assumption that this works with outgoing email as well as incoming email. Yes, spam could still get through if they use that subject line but I would assume that this wouldn't be as much of an issue.

    What would I put in as the regular expression? I assume that the filter should have a "Subject" that "matches regex" and then the regular expression. I need it to match this:

    Good Subject Line|Second Subject Line

    I'm not sure how to tell it that if it does NOT match one of those two then just discard it. Of course, if this doesn't work on outgoing mail then I'm not sure what to do. Help? Thanks!
     
  2. nickp666

    nickp666 Well-Known Member

    Joined:
    Jan 28, 2005
    Messages:
    770
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    /dev/null
    rather than filtering out the stuff your script shouldnt be sending, IMO it would be a much better idea to fix the script so that it only sends what it should, adding filters to counter out insecure scripts isnt the best solution in this instance
     
  3. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Correct. The problem is surely due to a insuficient filtering method in the website before it is emailed. You must verify the correct format of every var sent to the system from the online form before you actually send the message. Please comment your code to see how are you filtering/analyzing the input data.
     
  4. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Sorry, I may have been unclear. The spammers are not using the Web form to send their spam. The code that processes the form does a lot of checking, and there are a lot of required fields. The subject and body of the two emails that it sends are in the script. The spam is being sent some other way.
     
  5. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:

    ok, fine. And does your hoster provided you some clues to know if the spam is being sent form a real address in that domain or not?

    May the spammers be bypassing your SMTP server entirely. To avoid this possibility, check in your WHM -> Security -> Security Center -> SMTP Tweak and activate that service (you should have activated all these security measures) in order to curb malicious users from bypassing your SMTP server. (this is taken from a similar post in the forum, answered by cPanelDavidG)
     
  6. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I'm going through the files to see if there is any other script that can send email, just in case that was compromised. Unfortunately, this isn't a site I work on. Maybe there's something in a random folder somewhere that spammers are using.

    As for the Security area in WHM, I don't seem to have that option. I'm using WHM 11.15.0 and cPanel 11.18.3-C21703. Where should I see it? Thanks!
     
  7. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    I have the same version of WHM (only differs in that I use the Stable, not the Current) and shouldn't be differences. Under Security Center you have several options: cPHulk Brute Force Protection, Host Access Control (block IP access), SSH Password Auth Tweak, PHP open_basedir Tweak, Apache mod_userdir Tweak, Compilers Tweak, Traceroute Tweak, SMTP Tweak, Shell Fork Bomb Protection. don't you have these items present?

    Do you have SSH access to the host?
     
  8. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    You have to be in Security Center, which itself is within the Security section of the WHM interface.
     
  9. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I don't see anything to do with security anywhere -- not in the left navigation frame and not in the icons on the home page. If I ask our host to enable the Security Center for our WHM would that make sense?
     
  10. cPanelDavidG

    cPanelDavidG Technical Product Specialist

    Joined:
    Nov 29, 2006
    Messages:
    11,279
    Likes Received:
    8
    Trophy Points:
    38
    Location:
    Houston, TX
    cPanel Access Level:
    Root Administrator
    Only those with root-level access to the server can access the Security Center. Contact your hosting provider for assistance as it is unlikely they will grant you that level of access.
     
  11. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I've asked them about it. This is a dedicated server so they may give it to us. If not, I'll ask them to follow the instructions here. Between that and a site cleanup I'm hoping we can stop this spam issue.
     
  12. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    If you are paying for a dedicated server or a vps you NEED and MUST have access to Security options in WHM. Ask for that access to your provider.

    I suppose that you are seeing a WHM panel but not admin, you really have been granted to use a reseller panel.

    Regards.
     
  13. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    It's a managed server so they take care of that stuff for us (obviously if I was to handle all of it it would be hopelessly broken in a matter of minutes). They said that SMTP Tweak is activated and has been. I think we're okay -- there has to be a script somewhere that is allowing spam. It seems that people are using this domain for storage in addition to the site, so once we pull all of that down and clean it up we should be good. Fingers crossed.
     
  14. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Well, being so, detecting the spam source won't be easy.
    Then you should download the entire site, look for hosted php/pl scripts that contain mail function calls, and check whether they are validating input data or not.
     
  15. Glowball

    Glowball Member

    Joined:
    Nov 27, 2005
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    I'm feeling pretty good about things. I deleted about 80% of the site, some of which had references to mail. I even found an unused pile of scripts for sending mail, which got deleted. Now I'm down to one email class and one form, and they both look good. Everything is validated. I want to thank you for your help with this -- I'll post back if there's still an issue, but I think everything is good.
    :)
     
  16. Kent Brockman

    Kent Brockman Well-Known Member

    Joined:
    Jan 20, 2008
    Messages:
    1,130
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    Buenos Aires, Argentina
    cPanel Access Level:
    Root Administrator
    Twitter:
    Cool! :D

    If you have awstats active, wait a few days and check for 404 errors (page not found) in order to discover what files are being required by "users" and missed. That will give you a interesting clue about where your site has been exploited. :cool:
    Also, check the stats for the top visited pages to evaluate whether is present any other scripts still being used/exploited. If your server has been sending lots of spam, you should see a singular amount of visits for that given scripts. Check and compare that data over past months to discover any tendencies and when the problem have appeared ;)
     
    #16 Kent Brockman, Apr 1, 2008
    Last edited: Apr 1, 2008
Loading...

Share This Page