Spam Issues

R

RoCkFoRdGuN

Well-Known Member
Joined
Apr 15, 2010
Messages
287
Reaction score
5
I hope someone can push me in the right direction.
I have a hosted domain with A2hosting and about a month ago i started sending out some kind of mail that looks like its from me but with some zip file attach i guess a virus or trojan. I contacted the hosting company was told change the password so i did. But then about a week ago i started getting thousands of bounce backs and i knew there was a bigger issue. Contacted them again and there answer was change the password. So i started doing some tests myself and found out that when i suspend my outgoing mails the issue stops but as soon as i reactivate it starts again. I went back to them gave them the findings and they told me theres malicious code on my wordpress i need to update and find the code. so i went in checked everything got some funny time stamps deleted those but the issue still went on.

Last night i scanned the site using quttera scanner.
Added a mail log system which picked up nothing so i though my side is clean.
But the hosting company still went on its my side.

So today i had enough took down the website scanned locally with composer using another malware scanner.
There is no malicious code. So my mail issue should be sorted.
NOPE still there i dunno wheres the origin and my hosting company nows less than me.

IS there anyway i can somehow trace back to where a mailscript is running or something cause im out of ideas.
The mail headers have different IP's so i cant even go and block a IP but this is coming from my email somehow.

* I dont have the account on my machine i deleted it.
* Website down
* Scanned my pc aswell

Anyone now where i can start?
 
Was your WordPress site sending mail via PHP or SMTP?

For SMTP you'd need to change that mail account's password. Bounce backs & spam will likely be heightened for a week or so.

For PHP, if it's sending mail when WordPress is offline / public_html is empty likely there's an issue lurking in the home directory i.e. a level above public_html.

Note: WordPress being in maintenance mode won't necessarily stop PHP mail from sending.

Naturally you need backups on & offline prior to tampering with anything.

Additional Note: Should it be SMTP based mail, the account is one you use to send manual mail from your devices, you've changed the password, WordPress SMTP is not yet updated & mail is still being sent via SMTP. One of your devices is likely compromised.

Check "Track Delivery" under the "Email" category of cPanel, think that's what A2 uses. There should be a 10 day historic available.
 
I'd suggest in addition to the prior; change the control panel password.ftp password (if username differt to control panel) & WebDav (if configured). Naturally don't mail these passwords to yourself / any accounts on this hosting plan.
 
For the "Track Delivery" one would be interested in which referenced email account mail was sent from during composed period. The way this is presented will vary depending on mail sending implementation i.e. php or smtp. Check the details for further information.
 
Hi Z

I actually had a look yesterday i cant find track delivery on there cpanel.
I suspended the outgoing mail side for the mail adress again you dont think a person can run a command in the terminal to check if there is activity on that adress?

Wordpress i suppose sent through php cause i never added a smtp it just went. But the funny thing is i redid the site last year but i never added a email adress to the contact form. So it never worked.
And for wordpress i deleted the whole directory its sitting on my local machine only.

Mail account password was changed to higher encryption
Login Details changed on ftp and cpanel login.
 
On a default level PHP Mail will send via "sender" [email protected] & the configuration or non configuration of a contact form would neither allow or prevent PHP mail.

I'm not aware of a method to disable PHP Mail from a disable outgoing mail perspective as its not sending from a mail account per say.

You'd need to open a ticket with your hosting company & ask them for a txt output of maillog for your account for the last 10 days for reference purposes. As you'd need root access for the maillogs if "Track Delivery' is not part of the feature list.

If the issue has been isolated to PHP Mail i.e. not a physical mailbox then you'd need to determine if there is still mail going out while you have the site on local storage. For this you will need those maillogs, if there is no suspect activity since the site has been locally stored then it's likely something in public_html is / was the cause.

If you add the below where x.x.x.x is your accessing public IP address to your .htaccess file in public_html it will prevent anyone aside from your IP from accessing the site while you fix whatever is going on.

order deny,allow
deny from all
allow from x.x.x.x

It may be wise to change WordPress username from "Admin" if it that to something less obvious additionally the WordPress wp-admin URL should be altered with 2FA enabled.

I'd suggest you limit access to your public IP & run a WordFence scan as this seems like the easiest action currently as nothing has been presented in your other scans & see what it comes up with.

Additionally:
One could add "disable_functions = mail" to your php.ini thereby only allowing smtp mail to be sent. It may be populated with "disable_functions =" already in which can just search for that function & amend.

That would at least stop php mail from being sent assuming that there is an issue lurking in the archived WordPress site.

Note: If you disable PHP mail & do not have SMTP configured in WordPress & you request a password reset from wp-admin don't be surprised if you don't receive an email.
 
Isn't it easier to make backups and rebuild the site with new passwords everywhere than to try and track down where the issue is?
 
Guess that depends on the of the site, if you want to know what went wrong.....

In the time it took to type that, all those action could have been done so guess it depends on the individual preference / capabilities or desire to go in whichever direction as it sounds like they are the only party managing their stuff & asking a question here seems to indicate they are looking for information as opposed to requesting paid technical support / assistance.
 
But what if this issue is not in the site itself cause i have deleted everything so technically the issue would have been deleted?
Z i have been struggling since the 23 April on this. If you go look at my ticket i swaer half these okes just copy paste k@k over and over. I dont even think they now how to pull mail logs.

Funny thing is tho like i said i installed a mail log on wordpress and there is no outgoing mails through the wordpress site.

I can access a Linux terminal in cpanel but im dumb on linux.
I have checked $ var/log
But its empty so i dunno if i dont have proper permissions
 
I can redo the site easy but it doesnt seem to be linked to the site and thats whats worrying me my clients are recieving mails from me with some zip file and i need to find out where this is coming from
 
Z3120 said:
Guess that depends on the of the site, if you want to know what went wrong.....

In the time it took to type that, all those action could have been done so guess it depends on the individual preference / capabilities or desire to go in whichever direction as it sounds like they are the only party managing their stuff & asking a question here seems to indicate they are looking for information as opposed to requesting paid technical support / assistance.
Click to expand...

These attacks are normally multifaceted so its easier and safer to just start from scratch and you can 100% guarantee you got all the scripts and backdoors they added. I get the for interests sake but OP looks like he just wants the issue resolved. But I'm getting off topic here.
 
RoCkFoRdGuN said:
I can redo the site easy but it doesnt seem to be linked to the site and thats whats worrying me my clients are recieving mails from me with some zip file and i need to find out where this is coming from
Click to expand...

If you can 100% eliminate the site then you can move on to the next suspicious item. WordPress is renowned for these issues though so its a good chance that's where the issue lies.
 
I wish i knew whats my next step. I wish it was the website then i could have sorted the issue out myself.
 
If your clients are receiving mail from your email address when the site was down then it would likely not be a PHP Mail issue & one of your physical email accounts was compromised assuming of course the header of the mail they received indicates the sender is actually from your address & not just a wrapped from address.

If you start the site again, use WordFence to at least identify vulnerable plugins that you may install again however as B-1 says the origin would at least need to be determined in a general manner.

If they can't send you maillogs, that would be sub par & I'd ask them to escalate the ticket or advise as to why they cannot.
 
I Did a scan yesterday with wordfence and got no issues and this is the thing rattling my brain.
I installed mail washer to see the mails before they get to me.
The IP thats on there changes every day and its from different countries so i cant even block the IP.
Its just the one email adress
 
Personally I would suggest finding out if SPAM is still going out from the hosting account whilst the site has been down.

Determine from the maillog if SPAM mail was going out from the PHP Mail Username "Sender" or a physical mailbox.

Take your clients email address (assuming that mail from you to them was received in the last 10 days) & ask them to search for mail outgoing from your hosting account to the clients email address. There may be older logs on rotate however I'm not sure they will get those for you.

The above addresses the SPAM outgoing concern & hopefully it is resolved & should mail not have gone from your hosting account to that particular client then likely it's just a wrapped "from" address with your email address inserted on that occasion.

If resolved then your updated A2 & cPanel passwords may have assisted & you may or may not have a remaining WordPress concern.

If all is well then create a backup of your hosting account & based on above outcomes determine the route for WordPress; rebuild or potentially troubleshoot. If it was determined that SPAM mail was outgoing from your physical mailbox (and you updated the password) & not the PHP Mail username "Sender" you might be all good in terms of WordPress.

In terms of your incoming SPAM I'd view that as a separate issue which may dwindle in a week or so & if not you'd need to adjust SPAM filters level, create rules or implement a 3rd party SPAM filter to clean out the junk.
 
Bear in mind that ANYONE can forge a "FROM" address in the SMTP protocol. It's perfectly possible that someone is sending out spam using your email address and it has absolutely nothing to do with you, your hosting provider, or your website. There is nothing you can do about it except to implement SPF and DKIM authentication on your email domain so that email servers can see that the spam is not really coming from you.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X