Email Account Sending out spam while Suspended – cPanel

Posted on February 27, 2025 by admin

When you suspend an account in cPanel, the users password, in “/home/ACCOUNT/etc/DOMAIN.com/shadow”, gets two exclamation marks prepended to the password hash. This means that the hash of a password from a user trying to login will not match what is in the shadow file effectively blocking the login.

Screenshot showing cPanel email account suspended.

However, there is an option that allows an admin to sign into all email accounts for a domain. The option is in WHM and called “Mail authentication via domain owner password”. It is under “Tweak Settings -> Mail”.

Screenshot showing Mail authentication via domain owner password setting.

If this option is enabled, then the admin, or an attacker that has compromised the admin password, can continue to login and send mail as a user.

A lot of email spam attacks appear to be automated. So if the admin password was weak and some hacker is using it to send spam, there is a good chance they don’t know it is the admin password. They just want to send out emails. Update the admin password, check and make sure the system is secure and monitor.

Add warning for emails from external domains in cPanel/WHM

Posted on December 9, 2024 by admin

In this post we are going to setup Exim to add “[External]” to the email subject if it originates from outside of the domain.

Thanks to Sam for this post. It was extremely helpful.
https://tech.saqr.org/2020/01/for-incoming-email-not-from-our-domain.html

ℹ️Exim filters do not appear to allow you to manipulate the body of an email, to do that you would need to use something like altermime.

Steps

Create a new Exim Filter
Enable Filter

Create an Exim Filter

SSH to the server and create a Exim filter. In cPanel there are in /usr/local/cpanel/etc/exim/sysfilter/options/. You can name the filter what ever you want.

vi /usr/local/cpanel/etc/exim/sysfilter/options/external_email_warning

Change “incredigeek.com” to your domain name.
You can also change “[External]” to whatever you want to be prepended to the subject.

if
  $header_to: contains "@incredigeek.com>"
  and $sender_address: does not contain "@incredigeek.com>"
  and $header_subject: does not contain "[External]"
then
  headers add "Old-Subject: $h_subject:"
  headers remove "Subject"
  headers add "Subject: [External] $h_old-subject"
  headers remove "Old-Subject"
endif

Save the file.

You can replace $sender_address with $header_from. While both can technically be forged, sender_address refers to the envelope sender provided by the SMTP MAIL FROM command and is harder to spoof if SPF is set up. header_from can be spoofed by just about any email client by change the from name.

Enable Custom Exim Filter

Now log into WHM, go to Service Configuration > Exim Configuration Manager > Basic Editor > Filters

At the bottom of the filters, you should see a new “Custom Filter: external_email_filter”
This is the filter you just created. Make sure it is On, and Save changes.

Enable Custom Exim Email Filter for External Email

There you go! Any email you receive now that is from an external domain should now have “[External]”, or whatever you specified, prepended to the subject.

If you run into any errors, try reviewing the panic log to see if there are any syntax errors.

Troubleshooting

You can use tail to follow the panic log to verify you have all the syntax correct.

tail /var/log/exim_paniclog -f

How to Migrate Email without IMAP credentials

Posted on October 31, 2024 by admin

Here are a few ways you can migrate emails without knowing the IMAP credentials.

Use the Admin Password.
Migrate emails using SFTP.
Import/Export using RoundCube?

Use the Admin Password

Some email services allow you to use the administrator password to sign into any email account. This allows you to move emails without knowing the users password.

You can refer to this FAQ on the imapsync website.

https://imapsync.lamiral.info/FAQ.d/FAQ.Admin_Authentication.txt

Migrating Files using SFTP

Disclaimer:

This option will only work if you have ftp/ssh/filesystem access.
Depending on email volume, you could miss emails that arrive during the transition.
If possible, it is recommended to use something like imapsync.
There could be format issues if the two email servers use different mailbox formats and/or email server software.

Emails are usually stored in the users home directory. Depending on the hosting provider, it could be /mail or ~/mail

You can zip up the mail directory and then unzip on the target server. This would only work if you have access to the filesystem. Create your email accounts before unzipping.

You could transfer the passwd and shadow files to keep the email passwords the same. Again, create the email addresses on the target server first and then either overwrite, or merge the differences between the shadow and passwd files.

For example, on cPanel servers, the mail directory is in ~/mail and the shadow and passwd files are in ~/etc/DOMAIN.COM

If you are logged in as root, you will need to change ~/ to /home/USER/ substituting USER for the actual cPanel user.

Import/Export messages from RoundCube?

You can import and export emails using the RoundCube webmail interface. However, the export is limited to one. message. at. a. time. This could work for a handful of messages, but can get quite tedious if you have a large number of emails.

Checking Email Blacklist and Getting Delisted

Posted on April 27, 2023 by admin

What do you do when your email server has been blacklisted and you are unable to send emails to certain domains? It’s best to be proactive and not get on the blacklists in the first place, but in the unfortunate event you do get blacklisted, here are some notes.

Checking Blacklists

First thing is we need to see which lists we are on. There are a couple of services that check multiple blacklists

https://mxtoolbox.com/blacklists.aspx

https://blacklistchecker.com/

These should give you an idea of which ones we need to go request a delisting.

att.net (yahoo.com, bellsouth.net)

AT&T is tricky as they don’t have an online site to show if you are blacklisted or not. They don’t seem very responsive and it can take awhile.

https://www.att.com/esupport/postmaster/

Send an email to “abuse_rbl@abuse-att.net” with your Mail Server IP address, the domain and ask to be delisted. You should get an auto-reply and then they usually will do something about it in 24-48 hours

More information below

https://pinpointe.com/blog/how-to-check-att-blacklist-request-ip-removal/

Other Blacklist

These are all fairly straight forward to check out. Some of them you will need to enter in an email, or maybe set up an account, others are as simple as requesting the IP to be delisted.

http://www.sorbs.net/menu.shtml

https://www.spamcop.net/

https://barracudacentral.org/rbl/removal-request

Send an Email with Node.JS

Posted on April 22, 2023 by admin

In this post, we will be using Node.JS and the nodemailer library to send email. We need to have an email account with an email provider to send email. Gmail or some other email provider should work.

Prerequisites

First lets install some tools

sudo apt install nodejs npm

Now lets install nodemailer

npm install nodemailer

Writing the Code to Send Email

Now that we have nodemailer installed, we can write or copy our code. Create a file called maill.js and make it look similar to the following.

// We can pass in the email text as an argument
const emailText = process.argv.slice(2);
// Or we can just have it as a variable
// const emailText = "NodeJS test email message."
console.log("args " + args)

const nodemailer = require("nodemailer");

const transporter = nodemailer.createTransport({
  host: "mail.emailserver.com",
  port: 465,    //  If your email server does not support TLS, change to 587
  secure: true, // If you are using port 587, change to false.  Upgrade later with STARTTLS
  auth: {
    user: "smtpuser@emailserver.com",
    pass: "notpassword)",
  },
});

const mailOptions = {
  from: 'user@emailserver.com',
  to: "touser@email.com",
  subject: 'Test Email using NodeJS',
  text: `${emailText}`
};

transporter.sendMail(mailOptions, function(error, info){
  if (error) {
    console.log(error);
  } else {
    console.log('Email sent: ' + info.response);
  }
});

Update the following variables

host: to your host email server
user: to the email user that is sending email. It should have an account on the email server
pass: password for your email user that is sending the email
from: email address that is sending the email
to: email account(s) you are sending email to
subject: subject of your email

Now we can proceed to send email

Sending Email

We can now run the code by saving our file and running it directly with NodeJS

nodejs ./mail.js "This is the body text for the email"

Hit Return and look for the email. If something went wrong, it should throw an error.

You can change the emailText variable if you would rather have the message body inside the code.

Code Explanation and Notes

A little explanation on the code.

The second line “const emailText = process.argv.slice(2);” is used to pass in a command line argument to use as the text for the body of the email. You can delete the line and uncomment line 4 if you would rather use a variable inside the code.

Your email server should support using SSL/TLS on port 465. If it does not, you may need to use STARTTLS which uses port 587, and then set secure to false. STARTTLS should upgrade the connection to be encrypted. But it’s opportunistic. You can read more about STARTTLS, SSL/TLS here https://mailtrap.io/blog/starttls-ssl-tls/

You can change the “to: ” in the mailOptions object to an array of email addresses to send the email to multiple people at once.

to: ["email1@email.com", "email2@email.com", "etc"],

Enable TLS 1.1 and 1.2 on Windows 7

Posted on March 28, 2023 by admin

Windows 7 does not support TLS 1.1 or 1.2 by default. This can be an issue if you are still trying to use Outlook 2010 on Windows 7.

Fortunately there is a way that we can enable TLS 1.1 and 1.2.

First we need to verify that we have the correct Windows update in place. Download the appropriate download and double click it to run.

For 64 bit systems download the update from here

http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x64_5b067ffb69a94a6e5f9da89ce88c658e52a0dec0.msu

or for 32 bit systems

http://download.windowsupdate.com/c/msdownload/update/software/updt/2016/04/windows6.1-kb3140245-x86_cdafb409afbe28db07e2254f40047774a0654f18.msu

After the update is finished, create a new text file (AKA PowerShell Script) with the following contents.

$arch=(Get-WmiObject -Class Win32_operatingsystem).Osarchitecture
$reg32bWinHttp = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$reg64bWinHttp = "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp"
$regWinHttpDefault = "DefaultSecureProtocols"
$regWinHttpValue = "0x00000a00"
$regTLS11 = "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client"
$regTLS12 = "HKLM:SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client"
$regTLSDefault = "DisabledByDefault"
$regTLSValue = "0x00000000"

Clear-Host
Write-Output "Creating Registry Keys...`n"
Write-Output "Creating registry key $reg32bWinHttp\$regWinHttpDefault with value $regWinHttpValue"

IF(!(Test-Path $reg32bWinHttp)) {
    New-Item -Path $reg32bWinHttp -Force | Out-Null
    New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}
ELSE {
    New-ItemProperty -Path $reg32bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
}

IF($arch -eq "64-bit") {
    Write-Output "Creating registry key $reg64bWinHttp\$regWinHttpDefault with value $regWinHttpValue"
    IF(!(Test-Path $reg64bWinHttp)) {
        New-Item -Path $reg64bWinHttp -Force | Out-Null
        New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
    }
    ELSE {
        New-ItemProperty -Path $reg64bWinHttp -Name $regWinHttpDefault -Value $regWinHttpValue -PropertyType DWORD -Force | Out-Null
    }
}

Write-Output "Creating registry key $regTLS11\$regTLSDefault with value $regTLSValue"

IF(!(Test-Path $regTLS11)) {
    New-Item -Path $regTLS11 -Force | Out-Null
    New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
    }
ELSE {
    New-ItemProperty -Path $regTLS11 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}

Write-Output "Creating registry key $regTLS12\$regTLSDefault with value $regTLSValue"

IF(!(Test-Path $regTLS12)) {
    New-Item -Path $regTLS12 -Force | Out-Null
    New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
    }
ELSE {
    New-ItemProperty -Path $regTLS12 -Name $regTLSDefault -Value $regTLSValue -PropertyType DWORD -Force | Out-Null
}

Write-Output "`nComplete!"

Save the file as “tls-reg-edit.ps1”

If saving it using notepad, change Save as type: All files (*.*)

Open a PowerShell. Change directories “cd” to the location you saved the above script to. ie. cd Downloads

Run the script with the follow command. Note you will most likely need to hit Y to allow the scripts to run.

Set-ExecutionPolicy Bypass -Scope Process ; .\tls-reg-edit.ps1

After the script runs, you’ll need to reboot your computer.

The script and information was taken from the following link. Thanks cPanel!

https://docs.cpanel.net/knowledge-base/security/how-to-configure-microsoft-windows-7-to-use-tls-version-1.2/

There is also more information at the following Microsoft link.

https://support.microsoft.com/en-us/topic/update-to-enable-tls-1-1-and-tls-1-2-as-default-secure-protocols-in-winhttp-in-windows-c4bd73d2-31d7-761e-0178-11268bb10392

How to Send an Email using Telnet

Posted on May 20, 2022 by admin

We’ll be using telnet to connect to a mail server and send ourselves an email.

The parts in bold are the commands to enter.

[bob@linux ~]$ telnet mail.website.com 25
Trying mail.website.com...
Connected to mail.website.com.
Escape character is '^]'.
220-mail.website.com ESMTP Exim 4.85 #2 Mon, 09 May 2022 22:12:59 
220-We do not authorize the use of this system to transport unsolicited, 
220 and/or bulk e-mail.
HELO domainto.sendfrom.com
250 mail.website.com Hello domainto.sendfrom.com [192.168.1.2]
MAIL FROM: <bob@incredigeek.com>
250 OK
RCPT TO: <bob@incredigeek.com>
250 Accepted
DATA
354 Enter message, ending with "." on a line by itself
Subject: Test Message

This is a test

.
250 OK id=5a1g7i-1347MT-1p
QUIT
221 mail.website.com closing connection
Connection closed by foreign host.

Further links to read

https://github.com/maildev/maildev/issues/212

How To Manually Send Email Using Telnet to Check for Open Relays

Adding Email Disclaimer for Entire Domain on WHM/cPanel

Posted on November 30, 2021 by admin

Altermime is a small utility that allows you to append a disclaimer to all outbound emails on a cPanel server.

1. Installing altermime

You should be able to copy and paste the following commands in. You’ll need to be root.

cd /usr/local/src/ 
wget pldaniels.com/altermime/altermime-0.3.10.tar.gz 
tar xvfz altermime-0.3.10.tar.gz 
cd altermime-0.3.10 
make 
make install

2. Setup Disclaimer Text

Create two disclaimer files. One is text and the other is for HTML.

Text file

nano /usr/local/etc/exim/textdisclaimer

Add your disclaimer text.

-------------
incredigeek.com

HTML File

Create the HTML disclaimer file with

nano /usr/local/etc/exim/htmldisclaimer

And add your disclaimer HTML to the file. Example:

<p>
-----
<br />
  <a href="http://www.incredigeek.com">incredigeek.com </a>
</p>

3. Modify Exim Configuration

Now that we have the disclaimer files set up, we can move on to configuring Exim so the disclaimer text gets added to every email sent out.

Open up WHM and go to Exim Configuration Editor -> Advanced Editor

A. Configuring Routers Configuration

Find the ROUTERS CONFIGURATION section. We will add some configuration in the “Section: PREROUTERS”

Add disclaimer to Single Domain

Paste in the following to add the disclaimer to a single domain. Replace “incredigeek.com” with your domain.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = ${if eq {$sender_address_domain}{incredigeek.com}{disclaimer_smtp}{remote_smtp}}
no_more

Add Disclaimer to Entire Server (Optional)

If you would rather apply the disclaimer to the entire server, use the following.

disclaimer:
driver = dnslookup
domains = ! +local_domains
transport = disclaimer_smtp

B. Configure Transports Configuration

Once we have that added we can find the “TRANSPORTS CONFIGURATION” section and under the first “Section: TRANSPORTSTART” add

disclaimer_smtp:
driver = smtp
transport_filter = /usr/local/bin/altermime  --input=- --disclaimer=/usr/local/etc/exim/textdisclaimer --disclaimer-html=/usr/local/etc/exim/htmldisclaimer
size_addition = 1

That should be everything that you need. Send a test email to an external email account to verify that it works.

Note that it looks like sending an email locally to email addresses on the same domain or to yourself bypass the filter and do not get the disclaimer added.

The following links were helpful for getting this set up.

https://forums.cpanel.net/threads/howto-footer-disclaimer-in-outgoing-mails.98465/

https://pldaniels.com/altermime/

How To tell if an email on a cPanel server has been read from the command line

Posted on September 24, 2020 by admin

All of the emails in the email directories contain one of the following at the end of the filename

$ ls cur/ | cut -d: -f 2 | sort | uniq -c
54 2,               <- Not Read
12 2,ab             <- Not Read
83 2,S              <- Read
61 2,Sab            <- Read

The first two “2, and 2,ab” mean that the message has not been read. The bottom 2 “2,S and s,Sab” mean that the message has been read or “seen?”. Guess that is what the S is for. Not sure what ab is for.

cPanel Email Directories