Spam is not just annoying, but often a security threat. Cleaning up cluttered mailboxes is time-consuming and messages are often laced with virus attachments or malicious links.
The best webmasters prevent spam, not just clean it up!
1. How to Prevent Spam in cPanel and Plesk
Use SpamAssassin + spam filter
Both cPanel and Plesk have SpamAssassin (SA) preinstalled and integrated into the local mail server. When enabled, SA scans all incoming email and rates them on various factors.
For example, does the email have images and no text?
If the rating exceeds the allowed score, the email is marked as spam or deleted (as based on your preferences).
Both panels also offer other filters, allow you to redirect or even delete emails based on keywords.
For example, the word “Viagra” in the subject line. These filters, in combination with SpamAssassin detections, create a very powerful anti-spam mechanism on the server.
How to enable SA in cPanel
- Login to cPanel, go to the mail section.
- Click the SpamAssassin icon and then enable it.
- Note the options to auto-delete mail, or auto-add a prefix to suspect messages.
- Using either the Global Mail Filters or the Mail Filters, add keyword-based filtering as needed.
How to enable SA in Plesk
- Login to Plesk
- Go to your domain
- Go to the Mail tab
- Go to the email address that you want to filter
- Enable SpamAssassin (and as with cPanel, note the options to mark or delete)
2. Enable DKIM and SPF checks
DKIM is the second revision of the DomainKeys authentication system. It checks whether an email is from the domain it claims to have been sent from.
If the message fails this check, it gets rejected by the server as spam.
DKIM is two-way. Any email you send must be signed in order to not be discarded or bounced by another server. And then you can instruct your server to reject or black hole as well.
This process involves many steps, and a great guide for these panels can be found here. Plesk has a dedicated DKIM selection area, while cPanel leverages DKIM checking via custom SpamAssassin mail filtering rules.
3. Disable catchall email
The catch-all (or catchall), aka the domain default email account, will accept all messages to non-existent accounts on a server when enabled.
Spammers blast spam to sites, whether or not they know an address.
For example, sales@ is a common spam message sent to all sites. If sales@ does not exist, and a catchall does, it’s diverted to this mailbox. So never enable the catchall address!
Doing so wastes server space, can consume CPU and RAM, and can allow malware onto the system.
While it can be useful for senders who mistyped the email address, it’s not worth it. Either set the address to either blackhole (discard) or reject (bounce) the messages.
To enable in cPanel
- Login to cPanel
- Click the Default Address icon
- Discard under the advanced options
- Ignore the cPanel warning that it’s not recommended. It most certainly is recommended! Note that bouncing can create a backscatter problem, so blackholing is the best option.
To enable in Plesk
- Login to Plesk
- Go to your domain
- Go to the Mail tab
- Click on Mail for Non-Existent Users
- Make sure “reject” is enabled by default. (Unfortunately, Plesk does not give the option to blackhole, so reject is next best)
Source :
EuroVPS Article.