hi all,
i have several problems with spames. I finde about 10.000 mails in queue every 24hours. I also note that it is possible to send out mails via SMTP without authentication. I have however, turned ON the SMTP tweak in WHM.
So is there any defenitly way to disable the SMTP server on a cPanel server so that nobody but really no one can use mail.domain.com to send e-mails??


thanks a lot

Try testing your server at http://www.abuse.net/relay.html or one of the other open relay tests. I would bet your server is not actually open to relay mail without authentication.

the problem is that anyone can go trought telnet to connect to an account on non and sending e-mails:
-----------------------

telnet domain.com 25
helo tester.com
mail Wrom: XRQBGJSNBOHMKH
rcpt to: max@domain.com
data
text off message
.
quit
---------------------


be happy!!!

Do you have an account on this server? Try doing this form some IP/Network where you are not also authenticating (just in case).

Oh, yes, the most popular control panel allows anyone to send mail on any domain without any authentication, but these villains only use your server to do it...

Your IP is undoubtedly in /etc/relayhosts because you've checked pop3 within the last half hour. THAT is why it is allowing you to send mail unauthenticated.

Please do your duty and learn about what you speak of before coming here and declaring cpanel 'not secure'.

Originally posted by WWWhost
the problem is that anyone can go trought telnet to connect to an account on non and sending e-mails:
-----------------------

telnet domain.com 25
helo tester.com
mail Wrom: XRQBGJSNBOHMKH
rcpt to: max@domain.com
data
text off message
.
quit
---------------------


be happy!!!
Did you try the open relay test? It will do just that. Unless you did something to defeat cPanel's authentication, you do not have an open relay. If you did, you would probably already be on all the blacklists by now.

Andrew--- i have, of course check all this.

John[H4Y] --- yes i made some tests with different open relay sites (mentioned here and on CPanel board)


I also have different messages comming from somthing@mywebsite.com in mail queue i never sent. Lot of customers have the same inexistent e-mails bounced back...

So i think i can say there is some security problem with Exims SMTP

is there any way to turn of SMTP so that nobody can send out e-mails from mail.domain.com???

check you mail stats, what does this tell you about who is sending the most email out?

the most senders are:
local
mailnull
and there is listed also the main IP address of the server as Top 50 sending hosts.
The Top 50 host destinations by volume and message is:
local

Its not cpanel its exim:

http://www.exim.org/exim-html-3.30/doc/html/spec_35.html

for more info. Another thing to think about is someone using a script on your server to spam.

try doing this.

telnet server 25
helo aol.com
mail from: ceo@aol.com
rcpt to: user@yahoo.com
data
test
.


If you receive the email at user@yahoo.com, then you are an open relay.

If you did not send the messages, it is very possible and common that a your email address is being spoofed as the sender for these emails, so if the user does not exist, you will get the reply back {NDR} instead of it's original source.

Two things I can suggest are:

1. Disable crappy Cpanel cgi-sys scripts
--------------------------------------------------
cd /usr/local/cpanel/cgi-sys

chmod 0 addalink.cgi cgiecho cgiemail entropybanner.cgi-wrap entropysearch.cgi formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl guestbook.cgi helpdesk.cgi randhtml.cgi-wrap realhelpdesk.cgi realsignup.cgi scgiwrap signup.cgi

Make sure they cannot be turned back on
chattr +i addalink.cgi cgiecho cgiemail entropybanner.cgi-wrap entropysearch.cgi formmail.cgi FormMail.cgi FormMail-clone.cgi formmail.pl FormMail.pl guestbook.cgi helpdesk.cgi randhtml.cgi-wrap realhelpdesk.cgi realsignup.cgi scgiwrap signup.cgi;ls -lh

Copy & paste the above as they will work as posted.


2. Check for eMail Spoofing
--------------------------------------------------
This is a bit harder as you will need to check the Headers to see where the eMail orginates from. As only the originating IP address is reliable, it is a good place to start. Unfortunately you cannot stop anyone from spoofing an eMail address in the 'From' Header.


Finally, make sure to remove all eMail in the queue using:

WHM > Email > Manage Mail Queue > Delete all messages in Queue

so you can start tracking from a fresh start. Don't include though, eMail that are kicked back by the Exim '/etc/antivirus.exim' filter. These would be eMails with various attachments (pif, exe. eml, etc.) not allowed by the antivirus filter. Usually sent from bogus address and, since Exim cannot send them back to anyone, will end up in the Server queue until removed.