Bobcares

cPanel email security – Most effective measures hand picked

by | Sep 22, 2018

Spam! We all hate it.

And that is why people have invented a gazillion ways to fight it.

Anti-spam systems range from SPF & RFC checks to Sender verification & Mail queue cleaners.

Every hosting company provides almost all of these tools to fight spam through administration panels such as cPanel, Plesk, DirectAdmin, etc.

 

The downside of too much choice

It’s good to have a large arsenal of anti-spam tools.

But for an uninitiated web user, all these tools look the same.

It can lead users to overlook strong anti-spam measures, choose the weak ones instead, and cause their mail servers to get blacklisted.

 

Here at Bobcares.com, our Support Engineers help web hosts, digital marketers, and other cPanel users maintain server security as part of our Outsourced Tech Support Services.

Today we’ll list down the top 7 cPanel Email Security measures that has the most effect on blocking outgoing spam and IP blacklisting.

 

Quick primer – The mechanics of outgoing spam

Spammers use broadly two ways to send spam through a server:

  • Exploiting web application vulnerabilities : Spammers use unpatched vulnerabilities to upload spam scripts or bots. These scripts then follow external commands to send out spam mails.
  • Using stolen email logins : Attackers use phishing or brute force to obtain email ID login details. It is then used to send out spam through SMTP authentication.

So, to block spamming, the anti-spam measures must address these two exploit channels.

Now, let’s look at the details.

 

1. Restrict outgoing SMTP connections to Exim & Mailman

Spam scripts connect to port 25 of remote mail servers to send spam.

If left unchecked, this is an open playing field for malware to send spam anywhere they want.

That is why here at Bobcares, we enable SMTP connection restriction in the servers we support. It limits outgoing port 25 connections to only Exim server and Mailman mailing list.

This forces all web scripts to send mails via the Exim server, which allows us to keep track of how many mails were sent by each user.

 

2. Limit the number of mails allowed per hour

Let’s assume that despite all our precautions, a spam script did indeed manage to get into the server.

It’ll try to blast out thousands of mails an hour. If these mails land in spam detectors, the mail server IP will be blacklisted.

To prevent that, we set a limit on the number of mails that can go out per hour for any account.

We’ve found that most domains do not send more than 50 mails an hour. So we set the default mail limit as 50 for all cPanel accounts.

For users that need more than that, we increase it on a case-by-case basis.

This is made possible only by enabling the “SMTP restriction” as we explained above.

Together, these two measures prevents an IP blacklisting even if a spamming does happen.

 

3. Enable a Web application firewall

The majority of spam attacks utilize spam scripts or bots, which is uploaded through web application vulnerabilities.

In the cPanel servers we support, we prevent such malware uploads by using Web Application Firewalls such as mod_security or ComodoWAF.

We integrate it with malware scanning software like ClamAV + Sanesecurity, so that all attempts to upload a malware is promptly blocked.

 

4. Setup Malware scanning & quarantine based on file creation

A web application firewall can block malware uploaded through web applications.

But what about files uploaded through compromised FTP accounts?

To block any malware uploaded through other methods (eg. WebDisk), we use malware scanning based on file system change.

We use a Linux feature called “inotify” to start a malware scan whenever a new file is created in website directories.

The anti-malware tool will quarantine the spam script, thereby preventing any spam from being sent.

 

5. Scan outgoing mail

By implementing all measures till this point, we’ve covered pretty much all possibilities of spam sent through scripts.

That leaves spam sent through compromised email accounts.

Spammers steal mail passwords through compromised PCs, network sniffing, or through brute force attacks.

Then they use the these legitimate email login to send spam through the server.

To combat this issue, we setup outgoing mail scanning.

By default cPanel scans only incoming mails. Outgoing mail scanning will apply all anti-spam filters to authenticated outgoing mails as well.

This setting along with the mail rate limit will pretty much lockdown outgoing spam.

 

6. Setup Brute force detection

A favorite method for hackers to get login details is brute forcing.

Attack bots send hundreds of passwords a minute on email accounts, FTP accounts or web applications to break into the server.

Such a behavior stands out from the normal legitimate logins, and can be detected by a brute force detector like LFD or cpHulk.

We configure and tweak these brute force detectors so that legitimate users who forgot their passwords are not blocked, while actual attackers are banned.

 

7. Setup 24/7 monitoring and emergency response

Now, in ideal conditions, everything we’ve said till now should work, no spam would go out, and the IP shouldn’t be blacklisted.

But what if there’s a new kind of spam or malware that’ll evade the checks and get into the server? What if the blacklist spam traps increase their sensitivity?

That is why we provide 24/7 monitoring & emergency response for our customers.

Server experts manually verify each alert within 10 minutes, and if we detect a spam mail campaign, we quickly login to the server, clear out the spam, and block the affected account.

We then work with the website owner to fix the vulnerable web application or reset the logins to any compromised user accounts.

 

Conclusion

Software vendors have built up a dazzling array of anti-spam tools to fight spam. Ironically, it’s this wide range of options that confuse the users and makes them overlook strong measures, adopt weak solutions, and make their server vulnerable to spamming. Today, we’ve had a fresh look at cPanel email security, where we’ve listed the top 7 effective measures our Support Engineers have used in web hosting servers.

 

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

SEE SERVER ADMIN PLANS

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.

Privacy Preference Center

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]
PHPSESSID
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

_ga, _gat, _gid
_ga, _gat, _gid
smartlookCookie
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

IDE, test_cookie, 1P_JAR, NID, DV, NID
IDE, test_cookie
1P_JAR, NID, DV
NID
hblid
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

SID, APISID, HSID, NID, PREF
SID, APISID, HSID, NID, PREF