We have disabled the BoxTrapper spam trap on all Linux shared hosting servers. This feature is part of WHM/Cpanel and while it sounds good in theory, it just adds to the global spam problem and causes our servers to be blocklisted on some BL lists.


It looks like a good way to stop spam by challenging all the incoming mails to a response before letting it deliver to user's inbox.


But the result is not that good from what we expected, it has been recognized that BoxTrapper potentially turns any cPanel hosting account into a spam machine, where they respond to any sender address that is victim of email spoofing which may lead to blocking.


BoxTrapper has a huge flaw: it will send the verification message to any email address listed as the sender on the email. Because it is easy to forge the email address an email appears to be coming from, this allows spammers to target accounts that use a feature like BoxTrapper to bounce messages against these accounts to SPAM addresses they want to target indirectly, making it difficult to trace and stop. This is called backscatter.


Backscatter is a very large problem for email providers and is highly penalized by blocklists and email reputation providers.  Because BoxTrapper enables this behavior and has been the direct cause of some of our servers being blocklisted, we are removing this feature from all our servers effective immediately.  This feature is used by very few users and with other SPAM filtering techniques available, we strongly believe that the risk BoxTrapper presents is not worth the gain.


If you are one of the few using this feature, we hope you understand why we have decided to disable this system on all our servers. Having the entire server blocklisted because of Boxtrapper on a single account is simply not acceptable and is an inconvenience to everyone that shares space on the server.