Block all outgoing email from specific domains

Follow

If one of your cPanel accounts contains PHP code that has been exploited (such as an out-of-date Wordpress plugin) it can be desirable to temporarily block all outgoing email from a single domain until the exploit has been removed.

 

Creating a blocked domain list

Start by connecting to your WHM server via SSH. Create a file called /etc/blockeddomains:

touch /etc/blockeddomains

Next, add the domain of the sender that you wish to block to the file:

echo exploitedcustomer.com.au >> /etc/blockeddomains

If the exploited account has addon domains that have also been exploited, you can repeat the above command for each domain.

 

Configure Exim to block mail 

In the first step, we created a list of domains that we want to be blocked. Now we need to configure Exim to use this list and start dropping mail.

To do so, login to WHM web interface. Click on Exim Configuration Manager and then select Advanced Editor .

Scroll down a few pages until you find the big blue button labelled Add additional configuration setting . Click that button and directly above the button you will see two blank textboxes separated by an equals sign:

[.......................] = [...........................]

On the left hand side of the equals sign, enter:

domainlist blocked_domains

On the right hand side, enter:

lsearch;/etc/blockeddomains

Scroll down slightly to find the section labelled custom_begin_outgoing_notsmtp_checkall , with a blank textbox.

Enter into the textbox:

discard
sender_domains = +blocked_domains
message = Message from $sender_address_domain is manually blacklisted.

This instructs Exim to blackhole all emails generated locally where the sender domain is one of the entries in the /etc/blockeddomains we created earlier.

When an email is sent to "blackhole", it vanishes without generating an error. If you prefer to send a delivery failure to the user, replace discard with deny.

Finally, scroll way to the bottom of the page and click Save.

 

Testing the blocked domains

Switching back to SSH, run the following command to watch Exim's log in realtime:

tail -f /var/log/exim_mainlog

When our rule is triggered, you will see an entry like this:

2016-05-17 16:13:59 cwd=/home/cp1234/public_html/wp-admin/network 4 args: /usr/sbin/sendmail -t -i -fjohn_smith@exploitedcustomer.com.au
2016-05-17 16:13:59 1b2YGV-002cCQ-UE <= john_smith@exploitedcustomer.com.au U=web09859 P=local S=1597 id=566510dc9a16fcbf44b7ea2a00ef1482@exploitedcustomer.com.au T="Download this system and Earn $789.91 Today!" for remoteuser@example.com
2016-05-17 16:13:59 1b2YGV-002cCQ-UE => blackhole (non-SMTP ACL discarded recipients): Message from exploitedcustomer.com.au is manually blacklisted.
2016-05-17 16:13:59 1b2YGV-002cCQ-UE Completed

Press CTRL+C (hold the Ctrl key down, press C, and then release both keys) to stop watching the log.

We can also see these emails by accessing WHM web interface, go to section Mail Delivery Reports.

Search by Sender User and enter the cPanel username for the exploited customer. You will see the emails shown as "Accepted", with the Recipient set to "blackhole" to indicate the mail was not sent.

 

Removing the block

Once the exploit has been fixed, you can remove the block by connecting with SSH and running the command:

echo > /etc/blockeddomains

This will erase all previously added domains from the list.  If you have multiple domains and only want to remove one, you can use the nano text editor instead:

nano /etc/blockeddomains

Delete the domain you want to unblock, then press CTRL+X to Exit then press Y to save changes.

Changes to the /etc/blockeddomains file are applied immediately, there is no need to restart Exim.

Have more questions? Submit a request

Comments

Powered by Zendesk