cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!
This object is in archive! 

X-Get-Message-Sender-Via should have option to be removed from email header for security reason

gentlebz shared this idea 7 years ago
Completed

We found a security information leak in our email headers: X-Get-Message-Sender-Via


this part include our cpanel account name and our confidential file path and name which send out the email, the file path disclose our web admin directory path. (like oscommerce websites, we login admin area to process order and send email to customers, hackers can easily get our admin login path by register as a fake customer and receive an email from us.)


we don't want our cpanel account name and admin path disclosed in email, so cpanel should have an option to disable X-Get-Message-Sender-Via info in email header, very important for security reason.


thanks.

Best Answer
photo

X-Get-Message-Sender-Via and the other similar header information included into each email is actually there explicitly for security reasons. This is by design and intentional.


By this, I mean that data is there to help server admins identify the origin/source of abuse. Ever run into a situation where a customer account has been compromised and is blasting out spam? Often times this results in your server being blacklisted and (sometimes) the blacklist organization may provide example spam. This is common for places like AOL that have "Feedback Loops".


By providing this additional data, it means server admins are more readily able to identify how/where the spam originated by reviewing those headers. It's frustrating, to say the least, if you know your server is contributing towards spam in the world, see the message, but don't have any identifying details to see how it was sent.


The origin of the X-Get-Message-Sender-Via data itself is also part of how Exim is able to much more reliably attribute mail sending to particular cPanel users. This makes the per-hour mail limit significantly more reliable.


Therefore this feature is both in for security and functional reasons.

Comments (2)

photo
1

X-Get-Message-Sender-Via and the other similar header information included into each email is actually there explicitly for security reasons. This is by design and intentional.


By this, I mean that data is there to help server admins identify the origin/source of abuse. Ever run into a situation where a customer account has been compromised and is blasting out spam? Often times this results in your server being blacklisted and (sometimes) the blacklist organization may provide example spam. This is common for places like AOL that have "Feedback Loops".


By providing this additional data, it means server admins are more readily able to identify how/where the spam originated by reviewing those headers. It's frustrating, to say the least, if you know your server is contributing towards spam in the world, see the message, but don't have any identifying details to see how it was sent.


The origin of the X-Get-Message-Sender-Via data itself is also part of how Exim is able to much more reliably attribute mail sending to particular cPanel users. This makes the per-hour mail limit significantly more reliable.


Therefore this feature is both in for security and functional reasons.

photo
2

We will not provide a means of removing this vital information. It is very important for system admins and others in tracking down email abusers.

Replies have been locked on this page!