I host a number of customers through a business of ours. Within the last 2 days I found, what I believe to be, wordpress being used to send spam emails. I have used the MailHeaders addon and few others to track down this spam and it always comes up leading to the main domain as such:
Sun Jan 29 17:58:09 CST 2012 - /home/username1/public_html/domain1.com - username1 x 551 549 /home/username1 /usr/local/cpanel/bin/noshell
Sun Jan 29 17:58:42 CST 2012 - /home/username2/public_html/domain2.com - username2 x 583 581 /home/username2 /usr/local/cpanel/bin/noshell
X-PHP-Script: http://www.domain1.com/index.php for (ip address)
Delivery-date: Sun, 29 Jan 2012 16:59:12 -0600
Received: from mailnull by servername.com with local (Exim 4.69)
for email@example.com; Sun, 29 Jan 2012 16:59:12 -0600
From: Mail Delivery System <Mailer-Daemon@servername.com>
Subject: Mail delivery failed: returning message to sender
Date: Sun, 29 Jan 2012 16:59:12 -0600
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:
Domain domain has exceeded the max emails per hour (200) allowed. Message discarded.
------ This is a copy of the message, including all the headers. ------
Received: from username by servername.com with local (Exim 4.69)
for firstname.lastname@example.org; Sun, 29 Jan 2012 16:59:11 -0600
X-PHP-Script: http://www.domain.com/index.php for ip address
Date: Sun, 29 Jan 2012 16:59:11 -0600
I cannot cache these emails as they all seem to be sent to the same email address for some reason and thus they are going through until the hit the 200 email per hour limit.
I am hoping someone will have some insight to this. This is happening with 2 different domains, but running wordpress and different plugins. If I rename the folder of the addon domain on one of these accounts that email is generating from, the spam emails stop completely. If I replace the correct name of the folder, the emails begin again.
I have checked for mailing plugins and only one of the sites are running one and disabling it has no effect. So I am at a total lose here as to where these are generating from, but from the looks of things, they are coming form the wordpress itself.