Tweak Settings disabling BoxTrapper by default

Feature Importer shared this idea 4 years ago
Open Discussion

As a Server Administrator, I want to have the Tweak Settings disabling BoxTrapper by default, so that boxtrapper challenge mail is not spamming customers.

BoxTrapper turns any cPanel machine into a spam server. The reason is simple. Spammers always spoof the FROM email address. To avoid being blocked by spamfilters (using sender verification callouts) they generally try to ensure that the fake FROM address used actually does exist somewhere. BoxTrapper sends a challenge/response email to every spoofed (existing) FROM address. Hence for every spam message cPanel receives it sends a spam out itself to the unknowing user who's email address happens to be abused at random by the spammer.

Many spamfilters will actually block servers that are running such a challenge/response system exactly for that reason.

This is a feature that has been migrated over from the cPanel Forums. All previous comments and discussions concerning this feature can be located at:

http://forums.cpanel.net/f145/removal-cpanel-spam-feature-boxtrapper-161558.html

Comments (7)

photo
2

Definitely agree, many webhosters are disabling BoxTrapper due to the reason you just explained. Unfortunately Spammers are smarter than BoxTrapper, BoxTrapper was a cool feature, now it's useful only to quickly set the server IP as blacklisted.

photo
1

I second this. BoxTrapper dont work as a filter anymore. Spammers have become smarter, but BoxTrapper is still working like in 2006 and users dont want to deal with blocked emails; they want a proactive filter.

BoxTrapper should come disabled. And prepare to be deprecated before 11.40.

Some graylisting tactic should replace BoxTrapper for those who want to enable this kind of filtering.

photo
1

utter rot. boxtrapper works well. my users do want to have control over their filters. it is proactive filtering without the user setting the bounds which is the scurge of the internet. my users want to decide for themselves what is spam and what is not, and what emails they will/will not receive. i for one, do not want it disabled, and neither do i want it gone. in fact, it is a major selling point of my email service, to consumers and businesses alike. if anyone doesnt like boxtrapper, they dont have to use it. theres nothing forcing you to use boxtrapper. and it can be disabled by individual users. kindly stop trying to spoil things for the rest of us through your personal prejudice.

photo
1

I would suggest tighter integration with Spamassassin, perhaps requiring spamassassin if boxtrapper is enabled, incorporate the white/blacklists from boxtrapper into SA, An option to sa-learn from the Boxtrapper queue, an option to automatically sa-learn --spam for the non-verified emails as they expire from the queue, sa-learn --spam as addresses are blacklisted.. the better you get SA working, the less outbound verification will be sent.

photo
2

Yes by Default there should not be any boxtrapper on server as it is another method to send spam . Enabling boxtrapper itself means getting IP address Blacklisted. This is not cool !

photo
1

All that needs to happen is for anti spam software and databases to recognise boxtrapper is set up on the account and then cease flagging boxtrapper measures as spam activity. Ironically Mailchannels for example will stop you sending spam, but let all externally sourced spam fill up your mailbox whilst also happily blocking all mail from your address by falsely blacklisting your address for spam activity thanks to boxtrapper mails.. i would like to remind everyone that falsely accusing anyone of sending spam in the USA has been against the law since the late 90s. Therefore, any such action taken against a boxtrapper user stateside can lead to succesful legal challenge, inclusive of a class A lawsuit.

photo
1

BoxTrapper is a great tool, and I've specifically signed up with a hosting provider just because it had NOT disabled it. I agree that the challenge/response aspect of BoxTrapper may have outgrown its usefulness and possibly become a liability, owing to backscatter. But this is easily disabled (as I have done) by setting the verify message to be blank (CPanel should make an explicit disable flag for challenge/response but meanwhile, this works).

The best part of BoxTrapper is its ability to have whitelists (and, less usefully, blacklists) and the automatic whitelisting upon sending outgoing email is a nice plus. The problem with SpamAssassin and its ilk is that I never EVER want email from a known good sender to be blocked (false positives), and there is always some possibility of that with heuristic tests used by SpamAssassin. However, BoxTrapper allows me to do that (for those who come up with the irrelevant observation that spammers can and do forge the sender email, the chance of a spammer using an email address that happens to be on my whitelist are next to zero--perhaps 1 spam email a year out of about 20,000 gets through that way).

In addition, BoxTrapper has a simple way to allow import/export of address books in bulk (some other systems make you enter one address at a time, which is absurd for any reasonably sized contact list).

And compared to the amount of resources taken up by having to analyze every single email that comes in with SpamAssassin or similar, a quick whitelist check is very low resource.

It would be a huge mistake to eliminate BoxTrapper or even to disable its installation on the server (few hosting companies would bother to change the default and a good tool would remain unused). However the hosting companies may well choose to disable it by default at the user level, since not all users will be comfortable configuring it. Also, it may not be a bad idea to disable (and even deprecate) the challenge/response part of it by default.

Unfortunately, BoxTrapper has the perception problem of being primarily a challenge/response mechanism (with the problems associated with it), whereas in reality it's a whitelist manager, and if thought of and used as such, it's a simple and very effective solution.

A combination of BoxTrapper to ensure delivery of whitelisted entries followed by SpamAssassin to filter all the others is a great combination. I can check SpamAssassin junkmail quarantine area for any good email from new senders that may have been incorrectly flagged, knowing that all known good senders will never be incorrectly flagged.