SMTP loophole for Spammer: Authentication not required for sending email to addresses within the same domain.
Our SMTP server (biz251) is configured such a way that authentication is not needed when sending emails within the same domain.
This allows scammers to send phishing/malicious links to email addresses in our domain simply by using an address in our domain as the sender address, without ever having to authenticate.
This style of spamming has been going on for years, but we've only just discovered this loophole recently.
Is there any way we could disable this feature from the CPanel, or does it require inmotionhosting to set it on their side?
We tested using telnet to confirm our finding. We didn't need to authenticate to send the email. Sender and recipient addresses (both from our domain) are redacted.