Suspended account still sending mail

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
I have an account that has been suspended but the user is still able to send mail how can I stop them from sending mail?

I don't yet want to terminate the account or delete the email account for a few reasons.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
Are you sure they are still sending emails, or are emails in queue from before the suspension?
Definitely still sending emails, I suspended the account a few days ago and right now their is an email in queue from 8 hours ago this is when the last time they sent out a bulk mailing.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
I can't duplicate this here on a server running CURRENT. After suspending the account, I cannot login to it, I can receive to it. You might want to put in a ticket with your host or cPanel directly on this.

GL!
I just submitted a support request.

I double checked to make sure I was not crazy, the account is suspended and they just sent 200+ emails today.

I'm sure Cpanel will be able to figure it out, I will post the results here in case anyone else runs across this issue.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
I can't duplicate this here on a server running CURRENT. After suspending the account, I cannot login to it, I can receive to it. You might want to put in a ticket with your host or cPanel directly on this.

GL!
The first response I received

According to the cPanel documentation, suspended accounts are not able to access the website and shell. It does not mention that email access will be revoked:
Suspend/Unsuspend an Account
 

Lyttek

Well-Known Member
Jan 2, 2004
772
4
168
Email access will still continue. Change their email passwords to block them.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
Yep, easy answer is change the email account password. A nice tool for that sort of thing: ConfigServer Mail Manage

Meantime, I understand what the reply to the ticket says, but I tested this myself last night and suspending that account meant no login via my email client to check, receive, or send any email.

Anyone else have an account they can test on and confirm?
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
Yep, easy answer is change the email account password. A nice tool for that sort of thing: ConfigServer Mail Manage

Meantime, I understand what the reply to the ticket says, but I tested this myself last night and suspending that account meant no login via my email client to check, receive, or send any email.

Anyone else have an account they can test on and confirm?
I use ConfigServer Mail Manage

What I think they are doing is using their desktop client and going through the mail server, doing this they wouldn't need to log into anything except through the SMTP and from the response it seems that is not blocked on a suspended account, kind of negates the meaning suspend a bit.
 

Infopro

Well-Known Member
May 20, 2003
17,090
519
613
Pennsylvania
cPanel Access Level
Root Administrator
Twitter
If I suspend my test account, then open my mail client (outlook 2007) to send myself a spam email, I can't. That test accounts email address asks for a password, as it's locked out from connecting to the mail server.

I just tested this again right now and find this to be the case.

If you can give me some idea as to how they're sending emails without logging into the server I'll try that.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
If I suspend my test account, then open my mail client (outlook 2007) to send myself a spam email, I can't. That test accounts email address asks for a password, as it's locked out from connecting to the mail server.

I just tested this again right now and find this to be the case.

If you can give me some idea as to how they're sending emails without logging into the server I'll try that.
I wish I knew how they were doing it then I could close it. This is so strange.

Changed all the passwords and they sent a fresh new set of emails today.

A couple days back I noticed an unsent email but today I only see the bounced emails could they be using some sort of desktop application and in it they have there email set so the bounce backs know where to go but they are not going through the email server during sending?
 

Miraenda

Well-Known Member
Jul 28, 2004
243
5
168
Coralville, Iowa USA
cPanel Access Level
Root Administrator
Are they using some program to send? If so, is it mailman? If they are sending emails in batches, it has to be something other than regular SMTP here.

First of all, to prove it's sendmail not SMTP, remove their domains (any primary, addon, sub and parked domains on their account) from /etc/localdomains, which prevents any further SMTP emails. If they are still sending at that point, it's sendmail that they are using. Removing from /etc/localdomains won't prevent sending using a script with sendmail.

Now, any scripts should have been suspended when the account was suspended, so that would be even more confusing how they are sending unless the suspension didn't kill off their already existing processes. You could change their account to be root owned, which would prevent them from executing any scripts as their user as well as ensure all of their processes aren't running.
 
Last edited:

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
Cpanel sent me some more info

Email Authentication does get disabled when an email account is suspended.

You can force the use of SMTP authentication by running this as root.

/usr/local/cpanel/bin/tailwatchd --disable=Cpanel::TailWatch::Antirelayd --verbose

This should ensure that a suspended account is not able to send email.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
Just wanted to update this the above did not work they are still sending emails, I will contact support again.
 

JawadArshad

Well-Known Member
PartnerNOC
Apr 8, 2008
459
7
68
PK
cPanel Access Level
DataCenter Provider
Just wanted to update this the above did not work they are still sending emails, I will contact support again.
This is strange, could you post some log entries of emails sent and replace the actual domain names and email accounts with dummy names etc. Without more details, replies from experts here may be intelligent guesses.
 

yamaharr1

Well-Known Member
Jun 22, 2007
94
2
58
This is strange, could you post some log entries of emails sent and replace the actual domain names and email accounts with dummy names etc. Without more details, replies from experts here may be intelligent guesses.
It appears the issue might be because of forwarders. Cpanel support is looking into it and looked into some header information.

Cpanel response

Would you like is to disable these forwarders manually? They don't get changed when an account is suspended.
I removed the forwarders let's see what happens.
 

cPanelDon

cPanel Quality Assurance Analyst
Staff member
Nov 5, 2008
2,545
12
268
Houston, Texas, U.S.A.
cPanel Access Level
DataCenter Provider
Twitter
It appears the issue might be because of forwarders. Cpanel support is looking into it and looked into some header information.

Cpanel response

I removed the forwarders let's see what happens.
When possible, please send me a private message with your ticket ID number; I would like to review the notes and applicable details about the circumstances involved.