Spammers love nothing more than launching dictionary attacks on unsuspecting domains using the ‘catch-all’ feature. This causes multiple problems — the main issues are excessive server load, disk usage, and spam volume. The worse issue is that once spammers catch on to the fact your domain has a catch-all, they will launch spam campaigns with your domain as the sending domain and all of their backscatter will flood your inbox with legitimate bounces. If you haven’t been the target of backscatter, keep it that way and disable your catch-all!
The following how-to explains how to manually disable the catch-all on every site. Since there is no way to prevent a user from re-enabling the catch-all in their Cpanel account, you might consider setting this up to run via Cron every hour or so.
First, back up the virtual aliases:
cp -p /etc/valiases/* /etc/valiasesbackup
Then, check which sites have a catch-all enabled:
grep '*:' /etc/valiases/* | egrep -v ':fail:'
Disable the catch-all on any site(s) with catch-all enabled. After you do this, run the previous command again to make sure it worked — if it does, it shouldn’t return anything.
sed -i 's/^\*: [^ ]*$/*: :fail: ADDRESS DOES NOT EXIST/g' /etc/valiases/*
If something goes horribly wrong, you can restore the backup you just made:
cp -p –reply=yes /etc/valiasesbackup/* /etc/valiases