Possible Spam being sent from WordPress (possible bug) (4 posts)

  1. Marbman21
    Posted 4 years ago #

    I host a number of customers through a business of ours. Within the last 2 days I found, what I believe to be, wordpress being used to send spam emails. I have used the MailHeaders addon and few others to track down this spam and it always comes up leading to the main domain as such:

    Sun Jan 29 17:58:09 CST 2012 - /home/username1/public_html/domain1.com - username1 x 551 549 /home/username1 /usr/local/cpanel/bin/noshell
    Sun Jan 29 17:58:42 CST 2012 - /home/username2/public_html/domain2.com - username2 x 583 581 /home/username2 /usr/local/cpanel/bin/noshell

    X-PHP-Script: http://www.domain1.com/index.php for (ip address)

    Return-path: <>
    Envelope-to: username@servername.com
    Delivery-date: Sun, 29 Jan 2012 16:59:12 -0600
    Received: from mailnull by servername.com with local (Exim 4.69)
    id 1RrdiK-003PjM-38
    for username@servername.com; Sun, 29 Jan 2012 16:59:12 -0600
    X-Failed-Recipients: domainmailbeingsentto@gmail.com
    Auto-Submitted: auto-replied
    From: Mail Delivery System <Mailer-Daemon@servername.com>
    To: username@servername.com
    Subject: Mail delivery failed: returning message to sender
    Message-Id: <E1RrdiK-003PjM-38@servername.com>
    Date: Sun, 29 Jan 2012 16:59:12 -0600

    This message was created automatically by mail delivery software.

    A message that you sent could not be delivered to one or more of its
    recipients. This is a permanent error. The following address(es) failed:

    Domain domain has exceeded the max emails per hour (200) allowed. Message discarded.

    ------ This is a copy of the message, including all the headers. ------

    Return-path: <username@servername.com>
    Received: from username by servername.com with local (Exim 4.69)
    (envelope-from <username@servername.com>)
    id 1RrdiJ-003PjJ-Mj
    for domainmailbeingsentto@gmail.com; Sun, 29 Jan 2012 16:59:11 -0600
    To: domainmailbeingsentto@gmail.com
    Subject: http://www.domain.com
    X-PHP-Script: http://www.domain.com/index.php for ip address
    Message-Id: <E1RrdiJ-003PjJ-Mj@servername.com>
    From: username@servername.com
    Date: Sun, 29 Jan 2012 16:59:11 -0600

    wordpress seo

    I cannot cache these emails as they all seem to be sent to the same email address for some reason and thus they are going through until the hit the 200 email per hour limit.

    I am hoping someone will have some insight to this. This is happening with 2 different domains, but running wordpress and different plugins. If I rename the folder of the addon domain on one of these accounts that email is generating from, the spam emails stop completely. If I replace the correct name of the folder, the emails begin again.

    I have checked for mailing plugins and only one of the sites are running one and disabling it has no effect. So I am at a total lose here as to where these are generating from, but from the looks of things, they are coming form the wordpress itself.

  2. andreirai
    Posted 4 years ago #

    I have the same problem. SPAM emails are being sent from my WordPress website. My hosting company reported that those spams were sent trough these php files:


  3. Sven D.
    Posted 4 years ago #

    @ andreirai

    What does you server log show?
    Is emails sent from a user/hacker?

    If you folders are correct, these files is not a part of WordPress:


    The following file should only be functional if "enable post by email" is on under Settings > Writing


    If you use the latest version of WordPress, maybe you could download a fresh copy and replace those files? http://wordpress.org/download/

  4. Sven D.
    Posted 4 years ago #

    @ Marbman21

    What WordPress files is used to send mail?
    What does you server log show?

    Have you checked for any unkown or modified files that a hacker may have placed on your server?

Topic Closed

This topic has been closed to new replies.

About this Topic


No tags yet.