Email forwarders added to non-legitimate addresses

Operating System & Version
Centos 6.9
cPanel & WHM Version
Cp 94.0.21

Sokpet

Registered
Apr 5, 2022
4
0
1
United States
cPanel Access Level
Root Administrator
Hello,

I have a weird case on one of the servers. The non-legitimate forwarders emails (gmail addresses) have been added to cPanel from white listed IP. I can not blacklist that IP because it is legitimate and there is no way to trace which machine is sending non-legitimate request to add forwarders.
Can I add the rule to block the forwarders email change and allow to do it only manually via cPanel?
Or can I restrict forwarder to only one domain, so no one can add gmail or other addresses?

I checked email filters and /etc/valiases/domain.com and all is correct.

Any help would be appreciated.

Thank you.
 

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
138
21
93
Houston
cPanel Access Level
Root Administrator
Hello! You can disable the "Email Filtering Manager" and "Forwarder Manager" features via the Feature Manager in WHM to prevent forwarders and filters from being added via cPanel and webmail for the account. We also have an article detailing how you can set up an Exim System filter to prevent users from sending to specific domains, but this does involve advanced Exim customization.

The ideal solution would be to perform a malware scan on all of the devices logging in to the webmail accounts to determine which device is infected.
 

Sokpet

Registered
Apr 5, 2022
4
0
1
United States
cPanel Access Level
Root Administrator
Hello! and thank you for your prompt answer and advises. I will try to perform malware scan on all devices.
Do you know if disabling email forward hook script will help to stop from changing addresses?

Here is the script I found. Will it work?

Thank you
 

cPanelWilliam

Administrator
Staff member
Mar 13, 2018
138
21
93
Houston
cPanel Access Level
Root Administrator
Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.
 

Spirogg

Well-Known Member
Feb 21, 2018
700
161
43
chicago
cPanel Access Level
Root Administrator
Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.
is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ?

just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ?

( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately

thanks
Spiro
 

Sokpet

Registered
Apr 5, 2022
4
0
1
United States
cPanel Access Level
Root Administrator
Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.
Thank you for checking that. I my particular case it will work since users are not allowed to use any external emails for forwarding.
 

Sokpet

Registered
Apr 5, 2022
4
0
1
United States
cPanel Access Level
Root Administrator
is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ?

just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ?

( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately

thanks
Spiro
From my understanding it is user account related issue. From few hundred email accounts only 2 of them are vulnerable and get external forwarders added. The problem is that it is almost impossible to detect infected machine since server logs are showing only one IP address for all requests (which is data center) and all machines are connecting to the server via that data center. Obviously cPanel can not detect which request is legitimate and which is not since IP is white listed.