This is news to me that WHMAP is such a big security risk. Considering I have port 25 set to localhost only. It's not an open relay or anything like that and I check logs for strange mail related stuff.

Now, suppose a spammer signed up on your servers. The fact that you have it set to localhost only, make no difference.

The only thing you have secured by setting it to localhost only, is that people that do not have a domain or an account on your server, cannot spoof your SMTP.

However, if you have a spammer on your server, they would be mailing from localhost, and the fact that they would use SMTP means, they could literally send out thousands of emails in less than a min's time, and as said...it would come from localhost. In fact, using that, they could effectively, and quickly forge all of the mails to make it appear as though it's coming from YOUR domain, if they chose to do so.

Just because it hasn't happened yet, does not mean you should leave vulnerabilities like this open.

All it takes is once.

For example, most people lock their doors at night, and have never had their houses broken into, yet they continue to lock their door at night, because they don't want to take chances with their family and home.

I wouldn't call this a hole in the script by any means it can happen to any host it doesn't take smtp to send out spam it can simply be a php script using sendmail.

Right you are. However, sendmail is much slower, and harder to forge. It takes a lot more time to forge a legit header in sendmail, than with SMTP, it also takes more time to send out as many emails.

In addition, with SMTP setup to accept any script's mail in localhost, the user does not have to authenticate themselves prior to sending mail via the SMTP.

I wouldn't call this a hole either. I would call this a security risk, and a sad oversite on whmap's part, because long after they were notified, they failed to provide the option of doing the way you choose. Thus far, without that option, the script requires you to make your server vulnerable.

Of course that's a choice that every host has to make for themselves and their clients. It's a choice that our company made quite some time ago, not to make our clients vulnerable for our own benefit, but again, that's just us.

I'd recomend Whois.Cart or PHPCorn if you're seeking cheap billing systems. Never utilizing any, I can't really comment of the quality of these systems, never using them before. I'd also recomend ClientExec if you're willing to spend a little more. It's definately worth the money.

True but most web hosts also host their website on a totally seperate server so the smtp having to be open isnt a big deal at all.

Absolutely not true.

In fact many of the hosts in the game today, are children with reseller accounts.

I couldn't have put it better Mark.