Skip to main content
BoxTrapper is cPanel’s strictest anti-spam tool. Instead of scoring messages and trusting the score, it requires every sender you’ve never heard from to verify they’re a real person before any of their mail reaches you. Verified senders are added to a whitelist and pass through automatically afterward. The trade-off is brutal but effective: zero spam from unverified senders, but real senders sometimes give up before completing the challenge. Open it from cPanel home → EmailBoxTrapper.
BoxTrapper page with mailboxes and Enable/Manage buttons

How it works

When mail arrives at a BoxTrapper-enabled mailbox from an address that’s not on your allowlist:
1

Hold the message

BoxTrapper queues the original message instead of delivering it. The sender doesn’t know yet that anything has happened.
2

Send a challenge

BoxTrapper auto-replies to the sender with a verification email. The challenge says something like “your message is being held; reply or click this link to verify you’re a real person”.
3

Wait for verification

The sender either replies (or clicks the link in the challenge), or doesn’t.
4

On verification

If the sender verifies, they’re added to your allowlist permanently. The original held message is released to your inbox. Every future message from them flows straight through, no challenge.
5

On no response

If the sender ignores the challenge (or never sees it), the original message stays held. After the queue retention window (default 14 days), the held message is discarded. The sender never reaches you.

When to use BoxTrapper (and when not to)

Good fit:
  • Personal mailboxes where you only correspond with a known, finite set of people.
  • Addresses being abused by spam beyond what SpamAssassin can handle, where you’d rather miss some legitimate mail than wade through spam.
  • High-value individual mailboxes (e.g. your personal you@yourdomain.com) used for one-on-one human correspondence.
Bad fit (don’t enable):
  • info@, support@, sales@, or any address customers email cold. They won’t complete the challenge; you lose business.
  • Mailboxes that receive automated mail (newsletters, monitoring alerts, e-commerce notifications). These senders are noreply addresses that can’t verify.
  • Mailing list subscriptions. Messages from list servers fail challenges.
  • Any mailbox where missing one real sender is worse than receiving some spam.
For most addresses, Spam Filters (SpamAssassin) is the better choice. BoxTrapper is the nuclear option.

Enable BoxTrapper on a mailbox

1

Pick the mailbox

On the BoxTrapper page, click Manage next to the address you want to enable.
2

Click the BoxTrapper toggle

Top of the per-mailbox page. Set to On. BoxTrapper starts intercepting unknown senders immediately.
3

Configure the basics

Most defaults are fine for the first run. Things you might tune:
  • Queue time — how long held messages wait for verification (default 14 days).
  • Whitelist subject prefix — prefix added to verified messages.
  • Verification message — the auto-reply senders see. Customize the wording so it doesn’t look like spam itself.
4

Pre-populate the allowlist

If you know addresses you want never challenged (your team, business partners, family), add them upfront under Edit Allow List. They’ll skip the challenge entirely.

The four lists

BoxTrapper uses four lists per mailbox:
Senders that bypass BoxTrapper entirely. Their mail flows straight through, no challenge.Pre-populate with known contacts. New senders get added automatically when they verify a challenge.
Senders that are silently dropped without challenge. Useful for known spammers.
Senders whose challenges never get sent. Their mail is held and eventually discarded, but BoxTrapper doesn’t bother them with a verification email. Use for noreply addresses or known automated systems where the challenge would just bounce.
Built from the From addresses in your Sent folder. BoxTrapper assumes anyone you’ve emailed is a real person. Enabled by default.Important: this is why BoxTrapper “starts working” the more you use it. Initial setup is rough; over time the auto-whitelist grows and challenges become rare.

Review the queue

Held messages awaiting verification with manual deliver and whitelist actions
The held messages live in a queue you can review. Click Review Queue for a mailbox to see:
  • Messages currently held awaiting verification
  • The challenge sent to each sender and whether it was answered
  • Manual actions: deliver this message anyway, whitelist this sender immediately, blocklist this sender
This is where you check whether a real sender’s message is stuck waiting and rescue it manually.

Tips

  • Customize the challenge wording. The default verification message is generic and looks suspicious. Add your name and a sentence explaining what’s happening so senders trust the challenge. Custom messages live under Edit Configuration → Verification Message.
  • Combine with auto-whitelist from Sent. It’s the difference between BoxTrapper being usable and unusable. Verify it’s enabled.
  • Check the queue weekly during the first month. You’ll catch real senders whose messages are stuck and learn which patterns to allowlist.
  • BoxTrapper plus mailing lists doesn’t work. If you’re subscribed to lists, either disable BoxTrapper on that mailbox or add every list sender to the allowlist manually.

Disable cleanly

To turn BoxTrapper off:
1

Manage the mailbox

BoxTrapper page → Manage on the address.
2

Toggle off

Set BoxTrapper to Off. Existing held messages remain in the queue; you can review and release them, or discard.
3

Optional: clear the queue

If you don’t want stale held mail accumulating, empty the queue manually before turning BoxTrapper off.

Need a hand?