Email forwarders added to non-legitimate addresses

[Sokpet]

Hello,

I have a weird case on one of the servers. The non-legitimate forwarders emails (gmail addresses) have been added to cPanel from white listed IP. I can not blacklist that IP because it is legitimate and there is no way to trace which machine is sending non-legitimate request to add forwarders.
Can I add the rule to block the forwarders email change and allow to do it only manually via cPanel?
Or can I restrict forwarder to only one domain, so no one can add gmail or other addresses?

I checked email filters and /etc/valiases/domain.com and all is correct.

Any help would be appreciated.

Thank you.

 

[cPanelWilliam]

Hello! You can disable the "Email Filtering Manager" and "Forwarder Manager" features via the Feature Manager in WHM to prevent forwarders and filters from being added via cPanel and webmail for the account. We also have an article detailing how you can set up an Exim System filter to prevent users from sending to specific domains, but this does involve advanced Exim customization.

The ideal solution would be to perform a malware scan on all of the devices logging in to the webmail accounts to determine which device is infected.

 

[Sokpet]

Hello! and thank you for your prompt answer and advises. I will try to perform malware scan on all devices.
Do you know if disabling email forward hook script will help to stop from changing addresses?

Here is the script I found. Will it work?

Disable email forwarding to external domains in cPanel

Disable email forwarding to external domains in cPanel - disable_email_forward_hook.php

gist.github.com

Thank you

 

[cPanelWilliam]

Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.

 

[Spirogg]

Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.

is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ?

just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ?

( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately

thanks
Spiro

 

[Sokpet]

Hello @Sokpet , thank you for your reply. I don't have any experience using that specific hook, but I believe it would work.

The script appears to prevent new external forwarders from being added. One potential downside of this is that users wouldn't be able to add legitimate mail forwarders to external email accounts.

Thank you for checking that. I my particular case it will work since users are not allowed to use any external emails for forwarding.

 

[Sokpet]

is this an issue with exim where it is exposed to the public and hackers are getting in to add forwarders, or is this a user account issue? either way it they are hacking into the system from cPanel to exim that should be looked at further from cPanel yes ?

just wondering how can we prevent a hacker from running wild and adding forwarders to other users cpanel accounts ?

( if this is the case) not sure cause I have not had this issue but have seen a few people complain about this lately

thanks
Spiro

From my understanding it is user account related issue. From few hundred email accounts only 2 of them are vulnerable and get external forwarders added. The problem is that it is almost impossible to detect infected machine since server logs are showing only one IP address for all requests (which is data center) and all machines are connecting to the server via that data center. Obviously cPanel can not detect which request is legitimate and which is not since IP is white listed.