WHM 11.36.1 (build 6)
Just wanted to confirm as Barlow said, the Webmail Autoresponder is wide-open.
And as InfoPro said, the Feature Manager can disable Autoresponder.
After my clients log into their personal webmail accounts, they are shown the choice to enter different webmail interfaces: Horde, Roundcube or SquirrelMail.
On this index.html page the clients can manage Change Password, Forwarding Options, Auto Responders, Configure Client Mail, Email Filtering, Email Trace.
The Forwarding Options does limit the client ONLY to their email address.
But the Auto Responders gives them Admin permissions to add Auto Responders to any email under any domain name.
Sad, but I had to disable Auto Responder after a client successfully added Auto Responder to my email to prove the the interface was not secure.
To Your Success!!!