A User can see EVERY domain hosted on a Server?
Ok, Here's the deal...

There is a Person who somehow obtained a list of all the domains hosted on my server(not users, but domains..). He then proceded to Email webmaster,admin,owner,etc @domain.com for every single one of these domains, and offer HIS web hosting advertisments.

Now my cpanel is totaly up to date, and the only other thing i really run on here is WHM Auto Piolet.

What i want to know is:
1. How did they get a domain list?
2. How can i stop this list from showing?

You really do not need anything special to do this, places like whois.sc allow members to use a reverse ip tool and see all the sites hosted on a particular IP or what is hosted on the server.

I read somewhere about people paying specific services like the above to block reverse IP look ups, I imagine there may be other ways to do it but otherwise, if they are not your domains and your customers do not use something like private registrations, spammers and the rest of the scum are going to keep grabbing domain names, email contacts or if that fails use generic fronts like, webmaster, postmaster, admin, and blah blah blah. Even using private registrations will not stop them.

Be sure to set everything to :fail: on your server, this may stop some of the mail.

blocking reverse lookups is a good way to get other servers to block your outbound emails. a lot of anti spam stuff requires a valid reverse lookup otherwise it will reject mail as spam

I imagine they looked at httpd.conf anybody on the server can get readonly access to this file.

not if you have chroot enforcement feature on a grsecurity patched kernel

www.grsecurity.net

regards

You failed to password protect bandwith. All they did was list it from the net, http://your_ip/bandwidth to get a list of every domain on your box. Try password protecting it from WHM!