Disable catchalls on entire cPanel server to prevent spam

By default cPanel is set to accept catchalls, that is mail to non-existent users, and bounce them. This can result in much spam being accepted by a cPanel server as spammers often brute force or randomly address their spam. Further, the bounce is usually set to an innocent address that was spoofed, creating what is an increasing problem known as backscatter spam.

A few steps are required to completely fix this. First disable this default setting in cPanel WHM by going to Server Configuration > Tweak Settings > Mail > and set Default catch-all/default address to :blackhole:. This will silently drop spam rather than bounce it, preventing more backscatter spam.

Next, disable all catchalls on the server:

mkdir -p /etc/valiasesbak
cp -R /etc/valiases /etc/valiasesbak
sed -i 's/^\*: [^ ]*$/*: :blackhole:/g' /etc/valiases/*
replace ':fail: No Such User Here' ':blackhole:' -- /etc/valiases/*

Check if there are any lingering aliases set to bounce with:

grep '*:' /etc/valiases/* | egrep -v ':blackhole:'

There maybe a few other bounce fail phrases like “Invalid e-mail address. Check and re-send.” Simply substitute these phrases in the replace command above, so:

replace ':fail: Invalid e-mail address. Check and re-send.' ':blackhole:' -- /etc/valiases/*

Ensure users can write with:

chmod 777 /etc/valiases/*
chown nobody:nobody /etc/valiases/*

Lastly, prevent users from re-enabling the catchall. In WHM > Packages > Feature Manager, select Default under Edit a Feature List and then edit. Uncheck Default Address Manager and then save.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>