SMTP loophole for Spammer: Authentication not required for sending email to addresses within the same domain.

Avatar
Anonymous
  • updated
  • Answered

Our SMTP server (biz251) is configured such a way that authentication is not needed when sending emails within the same domain. 


This allows scammers to send phishing/malicious links to email addresses in our domain simply by using an address in our domain as the sender address, without ever having to authenticate.  


This style of spamming has been going on for years, but we've only just discovered this loophole recently.


Is there any way we could disable this feature from the CPanel, or does it require inmotionhosting to set it on their side?

We tested using telnet to confirm our finding. We didn't need to authenticate to send the email. Sender and recipient addresses (both from our domain) are redacted. 

Image 375

Duplicates 1
SMTP loophole for Spammer: Authentication not required for sending email to addresses within the same domain.

Our SMTP server (biz251) is configured to not require authentication when sending emails within the same domain. 

This allows spammers to send spams and malicious links to email addresses in our domain using the same recipient address as the sender address, without having to authenticate. It's been going on for years. We've just discovered this loophole recently. 

Is there any way to disable this ability from the CPanel, or does it require inmotionhosting to set it on their side? 

Pinned replies
Avatar
0
Josh Green
  • Answer
  • Answered

Hello,
I'm happy to help with that today. There are tools available through cPanel to assist with this and we have information that can help with that at https://www.inmotionhosting.com/support/email/spf-records-domain-keys-combating-spam/
If you are still experiencing issues after using those methods, then this would be something you'll want to discuss directly with our Technical Support team and they can be reached by phone at 757-416-6575, Monday - Friday from 9AM to 9PM.

Replies 1
Avatar
0
Josh Green
  • Answer
  • Answered

Hello,
I'm happy to help with that today. There are tools available through cPanel to assist with this and we have information that can help with that at https://www.inmotionhosting.com/support/email/spf-records-domain-keys-combating-spam/
If you are still experiencing issues after using those methods, then this would be something you'll want to discuss directly with our Technical Support team and they can be reached by phone at 757-416-6575, Monday - Friday from 9AM to 9PM.