Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Issues with spamming post updates

  • Resolved supaiku

    (@supaiku)


    Sucuri is email spamming me with post updates like this all the time.

    This must be a bug, it’s crippling mysql. My site may be under a sort of login brute force, but it seems like this status update is superfluous, no? There are not actual posts.

    I have also noticed on another site it’s is actually creating real posts with Sucuri update notices in it. Is that normal behavior?

    Date: 2017-06-28 04:19:45
    Subject: Sucuri Alert, http://www.example.com, Post Update
    Event: Post Update
    Website: http://www.example.com
    RemoveAddr: 201.20.82.141
    Date/Time: June 28, 2017 4:19 am

    Message: Postman_sent_mail status has been changed; details: ID: 13938,Old status: new,New status: private,Title: Sucuri Alert, http://www.example.com, Post Update

Viewing 15 replies - 1 through 15 (of 31 total)
  • We are experiencing the same email spamming post updates from Sucuri since yesterday!
    The sudden large increase in Sucuri notification emails even caused our hosting to currently suspend our mail.
    We also suspected it to be a bug or something due to recent Sucuri plugin change.
    Please advise.

    this update only to tick ‘Notify me of follow-up replies via email’

    I have the same problem with 4 sites and had to deactivate the sucuri-scanner. They are all hosted on the same host where I have to use “Postman SMTP” to send mails. On other hosts y don’t have the problem. may be this helps?
    greetings, martin

    I also used Postman SMTP on all the concerned sites but always with the same sending email address. Due to sudden increase of Sucuri notifications on a few sites the combined amount of messages on one day (+6000!) triggered hosting email suspension. I’m now migrating to sending with different addresses on each site and using WP-SES instead of hosting email. Loved using Postman SMTP though.

    Add me to the list. I’m having the same issue in the last 24 hours. Urgh! Hope we can find a solution soon.

    I get two versions of notifications on multiple sites:

    e.g.
    Message: Jp_sitemap_master status has been changed; details: ID: 472,Old status: draft,New status: draft,Title: sitemap.xml

    Message: Jp_img_sitemap status has been changed; details: ID: 471,Old status: draft,New status: draft,Title: image-sitemap-1.xml

    Thank you for the report.

    This seems, indeed, like a false/positive in the sense that the post doesn’t seems to be modified at all, the old status was “draft” and the new one is “draft”. The plugin is designed to detect any modifications in the posts, no matter how insignificant they are, maybe the details in the message that you received is missing the part that was modified.

    We just released version 1.8.7 which includes multiple bug fixes, one of them addresses this, the plugin will ignore changes where the old status is the same as the new one. We will eventually improve the detection of post updates in future versions of the code.

    I will mark this as resolved, please install the new version which includes the fix. If you notice the same issue with version 1.8.7 please re-open the ticket so I can investigate more.

    same here postmanSMTP, jetpack and sucuri.

    Hello everyone. We released version 1.8.7 a couple of minutes ago with multiple patches to fix issues reported by the community. One of those patches addresses this issue as you can see in this commit [1] so from now on, the plugin will stop reporting changes in the posts when the old status is the same as the new status.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/c22cea2#diff-4ce5a29e1ad2ae18118fee2a2cb99462

    I made the update to 1.8.7 and activated the plugin. The notices began in the same moment. Messages in orden of experience:

    MESSAGE:
    Plugin activated: Sucuri Security – Auditing, Malware Scanner and Hardening (v1.8.7; sucuri-scanner/sucuri.php)

    MESSAGE:
    Postman_sent_mail status has been changed; details: ID: 2170,Old status: new,New status: private,Title: SucuriAlert, plantregio.net, Emailsubject.plugin_activated

    MESSAGE:
    Postman_sent_mail status has been changed; details: ID: 2171,Old status: new,New status: private,Title: SucuriAlert, plantregio.net, Emailsubject.post_update

    MESSAGE:
    Postman_sent_mail status has been changed; details: ID: 2172,Old status: new,New status: private,Title: SucuriAlert, plantregio.net, Emailsubject.post_update

    MESSAGE:
    Postman_sent_mail status has been changed; details: ID: 2173,Old status: new,New status: private,Title: SucuriAlert, plantregio.net, Emailsubject.post_update

    (…)

    In Sucuri you can stop Post-Type Alerts for Postman Sent Mail.
    That’s what we did (temporary?) on sites with sudden explosive increase of alerts.
    We had 6K+ more notifications per day recently!
    We don’t see any pattern in the sites having this increase and those that don’t have.

    Hello everyone. I have implemented an option to allow you to disable the email alerts for specific post transitions, so you can force the plugin to stop sending the alerts when the post status changes from “draft” to “publish”, from “private” to “trash”, etc.

    Here is the commit [1] it hasn’t been merged to upstream but you are free to download the alpha version of the code from here [2]. You can find the option in the “Post-Type Alerts” section of the “Alerts” panel in the plugin’ settings page. Notice that the plugin will keep reporting these changes to the API for security reasons, you will just not receive the email alerts.

    I will mark this as resolved, feel free to re-open if you need more information.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/1699714
    [2] https://github.com/cixtor/sucuri-wordpress-plugin/archive/master.zip

    I still don’t understand why it’s sending alerts in our case. I updated to WP 4.8 and then updated all plugins today on a test server. There is no activity other me on this server. I did one test CF7 form submission which uses Postman and then it started generating alerts. We had that test server set up to send through our live email server at the time to test it’s working and our email has consequently been suspended by our host. Not good.

    I’ve disabled Sucuri and Postman on the dev server but of course I have a queue of emails now arriving every few seconds. The only thing which is different in them is the ID. None of the status etc that you mention has changed. Is Sucuri generating alerts about its own emails?

    I have not tried your Alpha code (at this point I’d rather deactivate and wait until there’s a released update). I can’t see how I could change a setting to stop the behaviour I’m seeing.

    Is this really resolved?

    @stuartb3502 — the issue is resolved in the alpha version of the code as you can see here [1] the problem with Postman-SMTP was resolved with this [2] and a new option to control which post updates will be alerted and which one will not was added here [3]. You can wait until the next release as you said, but be aware that it will take several days before that happens, feel free to install the alpha version of the code from here [4] if you need an immediate fix.

    [1] https://github.com/cixtor/sucuri-wordpress-plugin/commit/c22cea2#diff-4ce5a29e1ad2ae18118fee2a2cb99462
    [2] https://github.com/cixtor/sucuri-wordpress-plugin/commit/350c074
    [3] https://github.com/cixtor/sucuri-wordpress-plugin/commit/1699714
    [4] https://github.com/cixtor/sucuri-wordpress-plugin

    We experienced exactly the same behavior and think it’s a specific conflict between Postman and Sucuri. We tried the Alpha code but since it’s focused on filtering and not limiting the spammy notifications don’t think that’s the best solution. We stopped using Postman and migrated all our sites to using WP-SMTP-Mail instead. We have not seen any problems anymore since migration.

Viewing 15 replies - 1 through 15 (of 31 total)
  • The topic ‘Issues with spamming post updates’ is closed to new replies.