cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

As a host, I want to be able to disable outbound email for an account when it has been compromised

Hostiso shared this idea 5 years ago
Completed

As this is merged with other feature request (https://features.cpanel.net/topic/disable-email-accounts) I am starting new feature request.


Please implement easy way to disable completely email function for cPanel account, because for example in case WP hack (and this is extremely common) hackers upload files etc. and try to send mass amount of spam emails without need for cPanel email account.


We all know about some exim changes etc. but they are not working mostly on latest cPanel and for most users are complicated to implement or they do not wish to risk to broke something.


Disabling email account in cPanel is not helping at all anything as they mostly do not use email accounts to send emails at all.

Best Answer
photo

This is available in cPanel & WHM version 56. You can read about these API calls here:


https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+hold_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+release_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+suspend_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+unsuspend_outgoing_email


Comments are now locked, but if you require any assistance you can open a ticket with our support team, email me (benny@cpanel.net) or ask me on twitter (@cpaneldev).

Comments (77)

photo
1

Do email clients know the difference between 'access denied' and 'please change your password' ?

photo
1

I don't think so. We've been changing passwords in WHM to stop the break out and then contacting the customer for the followup.


As far as an email client is concerned, it can either send or refuse a message. The refusal can because of credential problems or other relaying denied problems.

photo
2

An automated way to stop hacked mail accounts from sending mail would be great.

photo
2

This can currently be accomplished via the Exim Configuration Editor within WHM. Tristan made a pretty good post detailing the steps you'd take to block one domain name from sending mail from the server which you can find here: http://forums.cpanel.net/f5/how-do-i-block-one-domain-sending-email-my-server-223731.html#post920912


It sounds like this is the kind of thing you're looking for as it would allow you to block off the affected domain, instead of stopping exim completely, while you investigate the issue.

photo
4

Thanks for the link.


But as an WHM administrator is very important to have simple tools to monitor and to act on the problem.


So the feature request should be a mail control panel page (screen size) to monitor and disable/enable sending/receiving mail accounts or domains.


When we have several mail accounts from different domains sending mails (hijacked) to yahoo, google, ... etc . we must have a quick and efficient way to detect and stop the problem. The result is the IP is blacklist on the google servers.


And now if I want to be removed from the blacklist I must change the IP of the server to a new one and that is complicate because of the WHM license it's attached to the IP.


I think tweaking the files must be always a last resort.


Best regards,


Daniel Pereira

photo
6

Being able to suspend and disable email on a domain as well as individual email account level is very much needed for spam control. This should include the default account for a domain. Hard to believe this has not been added yet.

photo
3

I agree, in most cases you dont want directly to shut down the website of the client, but you would want to stop any mail from being send out by simply flipping a switch.

photo
1

It will be nice

photo
2

suggested way to resolve this by entering -1 in the max.emails per hour (as 0 will set it to unlimited -1 seems to be good way).


it should stop ALL mail send from the account (thus including, subdomains & addon domains)


This would also be nice for accounts which only host a site and never have to 'send' mail through the server.

photo
1

Nathan Lierbo wrote:

This can currently be accomplished via the Exim Configuration Editor within WHM. Tristan made a pretty good post detailing the steps you'd take to block one domain name from sending mail from the server which you can find here: http://forums.cpanel.net/f5/how-do-i-block-one-domain-sending-email-my-server-223731.html#post920912


It sounds like this is the kind of thing you're looking for as it would allow you to block off the affected domain, instead of stopping exim completely, while you investigate the issue.

this solution does not work anymore in 11.40+ according to cPanel - so only solution for now would be setting the hourly emails to 1 and let some mail pass through during the time the client fixes it ; this is not really a good thing so this feature is very much needed.

photo
2

I agree this feature would be nice to have. Dealing with misbehaving email accounts is a common every-day admin task for any company with more than a few accounts, and having the ability to quickly see and manage individual email accounts would be fantastic.


In fact, one could say this feature would be exactly the reason cpanel exists... (to help admin handle day to day tasks.

photo
2

Disabling a specific email account is generally as easy as just changing it's password. Being able to disable all outbound email for a particular cPanel account would be much more useful IMHO.

photo
2

MikeDVB wrote:

Disabling a specific email account is generally as easy as just changing it's password. Being able to disable all outbound email for a particular cPanel account would be much more useful IMHO.
true, but it still would alow a spam script to fill up your queue ; it does not need a password for that.

photo
1

Yeah . .. I second this feature request..

photo
2

Disabling domain accounts is useful, but it is more important to have the option to disable the system account (which is what scripts usually use) from sending mail.

photo
2

Agreed. I just spent 4 hours trying to find a way to turn off the email for a specific domain. I followed all the threads on here and failed. So strange placing all these obstacles up and still I'm watching the domain spit out email! So now my only alternative is to shut the domain down!

photo
1

Yes, it is a MUST! Highly appreciated...

What do you think cPanel? When can we get it?

photo
1

The users don't need to see the actual reason here, which may simplify implementation. This is merely an admin thing, to make it easier to lock email accounts.


A very quick first pass attached, needs work to make it check parameters properly and give decent error messages etc, may have time to update it further by the time you look: https://gist.github.com/brianoz/11239130#file-lockemailpass

photo
1

CPanel is a leading control panel and a lot of SPAM flows through the CPanel Servers every hour.

Its not a big deal for CPanel to create a script which changes the password of the spamming emailid or the spamming account.

Just by adding this simple feature a great deal of spam will be stopped and so much human resources will be saved.

photo
1

As we see more spamming all the time from Joomla and other scripts and not always easy to find the source, this feature should have been implemented already by cPanel!


Should really be able to change the setup so one account cannot send emails via API/WHM.

photo
1

mod-note: I just mistakenly merged the original request INTO a duplicate request that just arrived...rather than merging that dup into the original request. I apologize for any confusion my merge mistake may cause.


I've ensured that all comments, "good point"s and votes for/against have been preserved. We should be good to go. Please do let me know if you spot any problems I need to fix.

photo
1

Plesk/SmarterMail is providing such feature, We do have windows server with plesk control panel with and Smartermail,


In the SmarterMail Panel, We can disable a hacked/Compromised at a time, and then start further investigation. this way we can prevent further spamming and Server's Mail IP being blocked on Many RBLs watcher and Senderbase.org IP reputation watcher,

cPanel is leading Webhosting Control Panel for Web Hosting Industries, for being leading hosting control panel in the world should consider about this feature, Should Implement in next release version, Hoping this feature will be added soon.

photo
1

Nathan Lierbo wrote:

This can currently be accomplished via the Exim Configuration Editor within WHM. Tristan made a pretty good post detailing the steps you'd take to block one domain name from sending mail from the server which you can find here: http://forums.cpanel.net/f5/how-do-i-block-one-domain-sending-email-my-server-223731.html#post920912


It sounds like this is the kind of thing you're looking for as it would allow you to block off the affected domain, instead of stopping exim completely, while you investigate the issue.

Hi,

Have gone through the article posted by Tristian,


This will block entire domain, That we don't want, what if any client's office have

5 computers, and each computer has 5 different mail id is configured in outlook or any other email client, and any particular's mail ids compromised and used to sending out spam, why should be entire domain ?

photo
2

Further, We found that Google Apps Business Is also providing this feature, I have just seen this


Suspend John

This user will not be able to:

  • Login to John.net
  • Access services like Gmail, Drive, Calendar, but data will not be deleted
  • Receive invites sent to Gmail and Calendar

You will be able to activate this user later


>>>

This is the feature Which every cPanel user's want to implement.

photo
1

Maybe I haven't understood this correctly, but if a single e-mail account is sending spam, isn't it likely that the spammer has got the password for this account ? Even if it's a users computer thats connecting and not the spammers, if the spammer controls the user's computer, what's preventing him from installing a keylogger or something similar to email himself the password. In this case, why would you :


1) disable account

2) change password


Why not directly change the password ?


Surely if you don't trust your customer to not change the password back then you should't allow him access to anything, thus also changing his cpanel password too ?

photo
1

Has nothing to do with passwords. Has to do with exploited php scripts, where the script can be used to send spam via PHP, OR, where the site has been hacked and a malicious script installed to send spam via PHP request.


We DESPERATELY need a means to shut down a single domain from sending unauthorized email.

photo
4

Here's my basic understanding about what would be involved to bring this feature request to fruition:

Disabling an account means that...

  • it should become impossible for the end-user to change the password on the account
  • it should become impossible for the cpanel user responsible for that account to delete the disabled email account
  • all outbound email delivery attempts for emails queued up by that account should halt
  • it should remain possible to log in to webmail for that email account, however a "contact us for resolution" message should be shown.
  • it should remain possible to log in to that email account from a native client
  • an email message should arrive in the inbox for a disabled email account explaining what is going on and who to contact for resolution

It should be possible to disable...

  • an individual email account
  • all email accounts with the same @domain.tld suffix
  • all email accounts associated with a cpanel user account
  • all email accounts associated with a reseller and all of their associated cpanel user accounts
  • all email accounts on the system

photo
1

Hello,


If it's about PHP scripts then e-mail is not the only thing a hacker can do, he can run ddos attacks and scans on the serveur, install a php proxy script to hack other people using your serveur IP… for PHP scripts, the only viable way I know is to copy the users files outside of the directory accessilbe from internet and check the ftp logs to see if the user's FTP account needs a password change. A PHP script can potentialy send e-mail from any e-mail account specifying the -f additionnal parameter for the outgoing e-mail address so I don't think this feature would help at all for PHP scripts.


What cpanelAdamF has suggested makes sense though. Disable an acount from sending e-mail but allowing it to recieve e-mail and it's user to access his e-mail until the problem is resolved.


I now like this feature request and have voted for it :)


*mod-note: changed my username

photo
1

This is something we're investigating. A solution will need to ensure that misbehavior is blocked as well as provide a means for the end-user to know what's going on and potentially appeal the block.


please continue the conversation below. It helps us to design a solution which will meet your needs.

photo
2

It would be nice to also be able to disable mail sent from cpanelusername@servername.com [i.e. how php mail() functions] along with this.


That said this would be a good solution for us for email accounts that have had their credentials compromised and used to send spam. We see this from time to time due to people using weak passwords and/or non-secure methods of connection [no SSL or TLS] or a combination of the two.


Ultimately php mail() and smtp mail are two separate beasts but a way to disable email for a specific address, a specific domain, or the whole account [php mail() included, cPanel username email included] would be great.

photo
1

how often do you find the need to disable the 'default email account' (the one the system creates when a new cpanel account is created...scroll down to the bottom of the Email Accounts page in cPanel to see it) ?

photo
1

It's pretty common - we actually use an outbound scanning system where we blacklist the cPanel email [username@servername] to stop it now but it would be nice to be able to do it within WHM.

photo
1

Our main concern is Joomla/Wordpress scripts that are sending spam.

In the summer we have also seen alot of email account that have been hacked and used for spamming.

We would really appriciate a setting where we just could disable email on a whole account.

photo
2

cPanelAdamF wrote:

how often do you find the need to disable the 'default email account'
It is standard procedure for us to disable the default email account when we create a new cpanel account. It serves absolutely no purpose except to confuse our customers.

photo
1

If a compromised email account is sending out spam, it's not uncommon for the mail queue to become very large. Today I had 25,000+ messages in the mail queue from one compromised account. You can only display a maximum of 1,000 messages per page, so it takes a long time to delete them all. Can the solution include a mail queue clean-up utility ? As for blocking, I just change the PW and block the sending IPs using CSF/Configserver plugin.

photo
1

Grindlay, checkout ConfigServer Mail Queues plugin which has a great tool for mass deleting mails from queue using a search string.


I hope this feature gets more votes. Even with daily monitoring of the queues some times its too late and the high volume queue has direct impact on email dlays on the rest of the server domains.


We use 300-600 domain email limits per hour (configured via cPanel) depending on the client account size. CSF helps us detect high volume queues from specific domains and we act on them as soon as pssobiel. It would be great if cPanel can come up with a monitoring script/service/daemon that could act on (disable an account) based on queues/traffic patterns.

photo
1

I would like to blanket ban SMTP (outgoing) mail on the server but be able to turn on outgoing mail for specific accounts... Pushing clients to have to use their ISP's outgoing mail.. (many ISPs here in Canada already require that and block any use of alternate outgoing mailservers anyway)..

photo
1

I completely agree here, this is a must have.

photo
1

this is a must have if it's not already implemented. I can't find it anywhere though.

photo
1

Please implement this feature cPanel team!

photo
1

Hi, so 4 months ago was the last time cPanel responded and this request is over a year old, this strikes me as a fundamental feature!


A quick 1 click to not only suspend a user but the option to also to stop all email being sent from that cpanel account.


Where are we with this?

photo
1

This is certainly an important and needed feature. Some accounts I have should just not ever be able to send email out. It seems silly that i can control how many DBs an account has, but not if mail can be sent.


(edited to clean up some spelling/grammar)

photo
2

I could definitely use this feature, it's a pain having to try and block email from an account because their wordpress got hacked.

photo
2

I'd like to be able to disable email on a per mailbox basis. I have clients who pay a yearly fee for a mailbox on a specific domain, so disabling the whole domain isn't an option if an individual doesn't pay their yearly fee. I could change the password, but if I don't know the current password then that adds more work as I would then need to reset the password and inform the mailbox user of the new password. It would be nice to have an admin panel with a 'disable' checkbox beside each mailbox.

photo
1

+1 for this idea ,

photo
1

+1, Please add this feature. It would be great. As we are dealing with such accounts on daily basis and causing too much issues even few clients suggest to completly disable mail on their account.

photo
1

Great Idea... Waiting For This (Y)

photo
1

+10000000000000

photo
1

Are there other control panels which already implemented such a feature?

photo
1

I honestly don't know if any other's do that or not.


It could go either way disable email server wide and only enable it on specific domains or disable by domain

photo
1

I have this problem as well. I have accounts that will send out thousands of emails without the owner of the account even knowing. Sometimes the email rate is so high that the only way to stop it is to suspend the entire account. Sometimes suspending the entire account is not feasible because the client is actually a good client. Sometimes account owners can have bad scripts, plug-ins, themes, etc. installed into the websites that have bad files that send out thousands of emails. If we just have the option to stop just the emails and that will keep us from having to suspend the entire account.

photo
1

You can easily do and it with this one: http://www.configserver.com/cp/cmm.html

photo
1

Well said, chrisgrigg ! That's exactly our problem here... a few clients have Wordpress, and some theme or plugin has an as-of-yet unknown vulnerability which lets malware scripts in, which then mass-spam major email carriers like yahoo.


I can't kill the client's site; but there's no way to turn off email instantly. We basically have to hunt for the php malware, then change all pwds, then flush the queue, then wait for it to happen again.


So for a few of these clients, we've pulled all email hosting off, and just kept the web hosting part. So now we need to tell Exim to not process any mail for these "firewalled" cpanel accounts.

Sven, I don't see where CMM stops all email sending capability from a cpanel account?

photo
1

@paul When those sites are compromised are they using the local Exim for sending email, or are they sending directly from PHP?

photo
1

Really like this idea. Looks like there is also a suggestion thread going here, btw: https://features.cpanel.net/topic/disable-email-account

photo
1

I agree. This feature would be best be implemented via WHM where a setting will allow you to specify restricted aliases as we are able to do for subdomains however, I feel it is as important to allow a cPanel user to suspend email addresses too.


This would be great for when access to one specific email address is no longer required however, you wish for it to remain on the system in case access becomes required once again without the need to change passwords.

photo
1

This is one of most important options, I know for meany alternatives, but there should be some simple option where hosting provider etc. can must turn of email service for client quickly and easy.

photo
1

This is one of most important options, I know for meany alternatives, but there should be some simple option where hosting provider etc. can just turn of email service for client quickly and easy until problem is resolved.

photo
1

It seems like https://features.cpanel.net/topic/disable-email-account is basically the same request.

photo
1

Just one click and disable email account ............

photo
2

Yes, and this would more importantly turn off email for that user at the web script level too using phpmail etc. This is where most spam comes from , which makes it more difficult but doable I believe.

photo
1

Totally agree. Spamming is the most common reason of server issues.. (high load and blacklist problems to normal users..) and in most of the cases it is because of SCRIPTS...


It would be great if you can disable all mail functions for an specific account.


Sendmail

Phpmail

Cgi

Pop

Imap

photo
1

yes a setting where the specific spamming email account will be temporarily suspended for future investigations.

also make sure that both the client and reseller will be informed by the system.

photo
1

Grat feature request!!

photo
1

This isn't a court of law, why would you need to make an appeal process? Am I crazy for thinking that is a very odd suggestion...?

photo
1

Hi. We need another suspend account feature only for mail server, not including the web. Got it!?

photo
1

Good feature request. cPanel, please help make this possible ASAP. Thanks.

photo
1

Nice feature to disable outgoing email temporarily for a compromised email account.


Incoming may be suspended also, but optionally, if so, it would be nice to return an 4XX SMTP error with a custom message.


Ideally

photo
4

It would also be nice if an account goes over a threshold for Failed and Deferred that you could have the entire account suspended. This way if there is a script on a website that is out of control, or a mailing list that is not properly maintained it can't continue to do damage to the email reputation of the server.

photo
1

That's an amazing idea

photo
1

+1 for the idea, would be good to block an account/domain from sending e-mail (trough php and/or smtp) entirely, so you may inmediately stop the spam being sent, while you and your client can check and clean the site.


thanks.

photo
1

Very good idea. We had our reputation on the server damaged by one account.

photo
1

What are the current workarounds people use in order to achieve this right now?

photo
1

The last time this happened to us; we changed the person's email password that was hacked, and left their whole cPanel account up and running. (At first we suspended their entire cPanel account but realized this was too harsh). We then informed the user by a secondary email or phone call that their email account had been hacked, and that they would need to login and reset their password to get it working again, and that they should contact their IT support company for further help figuring out what device was compromised.


Also just provided them with some basic self help instructions on securing their email accounts, using TLS, and anti-virus etc...

photo
4

You need to know, that not only a hacked e-mail or compromised password can lead to these kind of issues. remember that spammers, or compromised accounts are usually sending spam trough PHP Function, without any required user/password.

photo
2

Can you clarify this now will this be only option to DISABLE EMAIL ACCOUNTS or it will be option also to disable complete email option for account that not even scripts can not send spam as this is bigger problem then just email accounts that in worst case you can delete, change pass etc. ???

photo
2

Hi all! An API call for this feature is coming with cPanel & WHM v56. We didn't have time to build a UI around it, but felt the calls were important enough to release without the UI. It will be quite simple to suspend all email accounts for a cPanel account without suspending the entire cPanel account. v56 is currently in EDGE and will hopefully be pushed to the CURRENT tier at the beginning of April. Once it does I'll make sure to update here with a link to the documentation!

photo
1

Will this only work for actual e-mail accounts ? or will also be possible to disable entire mail being sent from a cpanel account (php mail function) wich is the main source of spam in hacked accounts.?


thanks

photo
1

The API call acts on the cPanel user account and all subaccounts belonging to the cPanel user.

photo
1

So it will disable the PHP mail function's ability to send mail as well?

photo
1

If you have the following Tweak Setting enabled, it should


Prevent “nobody” from sending mail


If you are concerned about blocking legitimate mail, you can enable the following in the Exim Configuration Manager instead:


Query Apache server status to determine the sender of email sent from processes running as nobody

photo
1

I read that the users themselves will be able to enable/disable this feature from within cPanel, is that correct? This does not really help administrators if a decision to suspend email can be overridden by the user...

photo
2

Thank you so much for asking! This feature is separate and independent from the user-level suspend/un-suspend that already exists in v54. Users will not be able to override the new functionality.

photo
1

Thanks for the super fast clarification!

photo
1

No problem at all!

photo
1

Some example usage:


  1. # whmapi1 hold_outgoing_email user=nick
  2. ---
  3. metadata:
  4. command: hold_outgoing_email
  5. reason: OK
  6. result: 1
  7. version: 1
  8. # whmapi1 release_outgoing_email user=nick
  9. ---
  10. metadata:
  11. command: release_outgoing_email
  12. reason: OK
  13. result: 1
  14. version: 1
  15. # whmapi1 suspend_outgoing_email user=nick
  16. ---
  17. metadata:
  18. command: suspend_outgoing_email
  19. reason: OK
  20. result: 1
  21. version: 1
  22. # whmapi1 unsuspend_outgoing_email user=nick
  23. ---
  24. metadata:
  25. command: unsuspend_outgoing_email
  26. reason: OK
  27. result: 1
  28. version: 1

photo
1

This is available in cPanel & WHM version 56. You can read about these API calls here:


https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+hold_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+release_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+suspend_outgoing_email

https://documentation.cpanel.net/display/SDK/WHM+API+1+Functions+-+unsuspend_outgoing_email


Comments are now locked, but if you require any assistance you can open a ticket with our support team, email me (benny@cpanel.net) or ask me on twitter (@cpaneldev).

photo
1

This feature was completed in version 56, so I'm going to merge it into the feature request that it was tracked in. If you have questions, feel free to let me know!

Replies have been locked on this page!