If one of your cPanel accounts contains PHP code that has been exploited (such as an out-of-date Wordpress plugin) it can be desirable to temporarily block all outgoing email from a single domain until the exploit has been removed.
Creating a blocked domain list
Start by connecting to your WHM server via SSH. Create a file called /etc/blockeddomains:
Next, add the domain of the sender that you wish to block to the file:
echo exploitedcustomer.com.au >> /etc/blockeddomains
If the exploited account has addon domains that have also been exploited, you can repeat the above command for each domain.
Configure Exim to block mail
In the first step, we created a list of domains that we want to be blocked. Now we need to configure Exim to use this list and start dropping mail.
To do so, login to WHM web interface. Click on Exim Configuration Manager and then select Advanced Editor .
Scroll down a few pages until you find the big blue button labelled Add additional configuration setting . Click that button and directly above the button you will see two blank textboxes separated by an equals sign:
[.......................] = [...........................]
On the left hand side of the equals sign, enter:
On the right hand side, enter:
Scroll down slightly to find the section labelled custom_begin_outgoing_notsmtp_checkall , with a blank textbox.
Enter into the textbox:
sender_domains = +blocked_domains
message = Message from $sender_address_domain is manually blacklisted.
This instructs Exim to blackhole all emails generated locally where the sender domain is one of the entries in the /etc/blockeddomains we created earlier.
When an email is sent to "blackhole", it vanishes without generating an error. If you prefer to send a delivery failure to the user, replace discard with deny.
Finally, scroll way to the bottom of the page and click Save.
Testing the blocked domains
Switching back to SSH, run the following command to watch Exim's log in realtime:
tail -f /var/log/exim_mainlog
When our rule is triggered, you will see an entry like this:
2016-05-17 16:13:59 cwd=/home/cp1234/public_html/wp-admin/network 4 args: /usr/sbin/sendmail -t -i [email protected]
2016-05-17 16:13:59 1b2YGV-002cCQ-UE <= [email protected] U=web09859 P=local S=1597 [email protected] T="Download this system and Earn $789.91 Today!" for [email protected]
2016-05-17 16:13:59 1b2YGV-002cCQ-UE => blackhole (non-SMTP ACL discarded recipients): Message from exploitedcustomer.com.au is manually blacklisted.
2016-05-17 16:13:59 1b2YGV-002cCQ-UE Completed
Press CTRL+C (hold the Ctrl key down, press C, and then release both keys) to stop watching the log.
We can also see these emails by accessing WHM web interface, go to section Mail Delivery Reports.
Search by Sender User and enter the cPanel username for the exploited customer. You will see the emails shown as "Accepted", with the Recipient set to "blackhole" to indicate the mail was not sent.
Removing the block
Once the exploit has been fixed, you can remove the block by connecting with SSH and running the command:
echo > /etc/blockeddomains
This will erase all previously added domains from the list. If you have multiple domains and only want to remove one, you can use the nano text editor instead:
Delete the domain you want to unblock, then press CTRL+X to Exit then press Y to save changes.
Changes to the /etc/blockeddomains file are applied immediately, there is no need to restart Exim.