cPanel email security – Most effective measures hand picked
Spam! We all hate it.
And that is why people have invented a gazillion ways to fight it.
Anti-spam systems range from SPF & RFC checks to Sender verification & Mail queue cleaners.
Every hosting company provides almost all of these tools to fight spam through administration panels such as cPanel, Plesk, DirectAdmin, etc.
The downside of too much choice
It’s good to have a large arsenal of anti-spam tools.
But for an uninitiated web user, all these tools look the same.
It can lead users to overlook strong anti-spam measures, choose the weak ones instead, and cause their mail servers to get blacklisted.
Today we’ll list down the top 7 cPanel Email Security measures that has the most effect on blocking outgoing spam and IP blacklisting.
Quick primer – The mechanics of outgoing spam
Spammers use broadly two ways to send spam through a server:
- Exploiting web application vulnerabilities : Spammers use unpatched vulnerabilities to upload spam scripts or bots. These scripts then follow external commands to send out spam mails.
- Using stolen email logins : Attackers use phishing or brute force to obtain email ID login details. It is then used to send out spam through SMTP authentication.
So, to block spamming, the anti-spam measures must address these two exploit channels.
Now, let’s look at the details.
1. Restrict outgoing SMTP connections to Exim & Mailman
Spam scripts connect to port 25 of remote mail servers to send spam.
If left unchecked, this is an open playing field for malware to send spam anywhere they want.
That is why here at Bobcares, we enable SMTP connection restriction in the servers we support. It limits outgoing port 25 connections to only Exim server and Mailman mailing list.
This forces all web scripts to send mails via the Exim server, which allows us to keep track of how many mails were sent by each user.
2. Limit the number of mails allowed per hour
Let’s assume that despite all our precautions, a spam script did indeed manage to get into the server.
It’ll try to blast out thousands of mails an hour. If these mails land in spam detectors, the mail server IP will be blacklisted.
To prevent that, we set a limit on the number of mails that can go out per hour for any account.
We’ve found that most domains do not send more than 50 mails an hour. So we set the default mail limit as 50 for all cPanel accounts.
For users that need more than that, we increase it on a case-by-case basis.
This is made possible only by enabling the “SMTP restriction” as we explained above.
Together, these two measures prevents an IP blacklisting even if a spamming does happen.
3. Enable a Web application firewall
The majority of spam attacks utilize spam scripts or bots, which is uploaded through web application vulnerabilities.
In the cPanel servers we support, we prevent such malware uploads by using Web Application Firewalls such as mod_security or ComodoWAF.
We integrate it with malware scanning software like ClamAV + Sanesecurity, so that all attempts to upload a malware is promptly blocked.
4. Setup Malware scanning & quarantine based on file creation
A web application firewall can block malware uploaded through web applications.
But what about files uploaded through compromised FTP accounts?
To block any malware uploaded through other methods (eg. WebDisk), we use malware scanning based on file system change.
We use a Linux feature called “inotify” to start a malware scan whenever a new file is created in website directories.
The anti-malware tool will quarantine the spam script, thereby preventing any spam from being sent.
5. Scan outgoing mail
By implementing all measures till this point, we’ve covered pretty much all possibilities of spam sent through scripts.
That leaves spam sent through compromised email accounts.
Spammers steal mail passwords through compromised PCs, network sniffing, or through brute force attacks.
Then they use the these legitimate email login to send spam through the server.
To combat this issue, we setup outgoing mail scanning.
By default cPanel scans only incoming mails. Outgoing mail scanning will apply all anti-spam filters to authenticated outgoing mails as well.
This setting along with the mail rate limit will pretty much lockdown outgoing spam.
6. Setup Brute force detection
A favorite method for hackers to get login details is brute forcing.
Attack bots send hundreds of passwords a minute on email accounts, FTP accounts or web applications to break into the server.
Such a behavior stands out from the normal legitimate logins, and can be detected by a brute force detector like LFD or cpHulk.
We configure and tweak these brute force detectors so that legitimate users who forgot their passwords are not blocked, while actual attackers are banned.
7. Setup 24/7 monitoring and emergency response
Now, in ideal conditions, everything we’ve said till now should work, no spam would go out, and the IP shouldn’t be blacklisted.
But what if there’s a new kind of spam or malware that’ll evade the checks and get into the server? What if the blacklist spam traps increase their sensitivity?
That is why we provide 24/7 monitoring & emergency response for our customers.
Server experts manually verify each alert within 10 minutes, and if we detect a spam mail campaign, we quickly login to the server, clear out the spam, and block the affected account.
We then work with the website owner to fix the vulnerable web application or reset the logins to any compromised user accounts.
Software vendors have built up a dazzling array of anti-spam tools to fight spam. Ironically, it’s this wide range of options that confuse the users and makes them overlook strong measures, adopt weak solutions, and make their server vulnerable to spamming. Today, we’ve had a fresh look at cPanel email security, where we’ve listed the top 7 effective measures our Hosting Support Engineers have used in web hosting servers.