Question

mail issue in logs

Just migrated to DO with a multisite wordpress/woocommerce and have noticed some issues in my syslog

“host mx-aol.mail.gm0.yahoodns.net[98.136.101.116] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command) Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2255]: 8DA29407AB: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.101.116] while sending RCPT TO Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2256]: 56114407A7: host mta5.am0.yahoodns.net[67.195.229.58] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)”

I have deleted all users who are spam and have not registered as woocommerce customers but my stack is still trying to send out emails to people

Any ideas what could be causing this

Subscribe
Share

To the owners, I am 46 years old. My fourth university i am still studying at YILDIZ TECHNICAL UNIVERSITY Computer Engineering program. My second year in school. You can call by phone or mail to university about me. Last nigth 09.05.2020 at 00:05 am i was surfing the internet. I saw a add in GITHUB PAGES about the DIGITAL OCEAN (50usd free for the github education users) and i wanted to use this opportunity. When i came into digital ocean it said to me that 100USD is free if i join. I decided to join the site. I did whatever the site(DIGITAL OCEAN) said to me. I gave the CREDIT CARD DETAILS. I gave My PASSPORT picture. THEN FOR THE VALIDATION i used my CAM to send them ONLINE. Then afterwards i gave my telefone(CELLULAR) number and LIVE CONNECTIN we established i gave all the details they wanted from me about me. APPR. 1 hour spend my time but i finihed. AFTERWARDS the screen said that THEY DİD NOT ACCEPT my APPLICATION. Since 46 years, i did not feel THIS KIND OF IDIOT. It was awful. I am MUSTAFA SENTURK and i am 46 years old and i am UNIVERSITY STUDENT and i am a GITHUB USER and I did every thing the DIGITAL OCEAN SITE wanted from me . ALL OF THE THINGS HAPPENED ARE RECORDED. They are also record all things happened to me. I WROTE THEM SEVERAL TIMES to answer back to me for apologize but UNFORTUNATELY. They still go back to me. Afterwards never mind, no need to back. THIS IS RACIZM. Totaly RACIZM. And all of my rights are secret and i will go to the international court for these disgusting behaviour.
Mustafa Senturk


Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

I have fully scanned using WORDfence, GOMIS?? and sucuri and nothing has found anything, yet my mail logs are still sending out spam

OH DEAR

OK thanks, I will let you know how I get on, and thanks very much for all the information and links. I am currently deep scanning my site with Wordfence and will run at least 3 different plugins on it and see what happens. I have deleted all plugins that I wasnt using and also deleted a few themes that were not being used

I cant really scan via SSH for changed files as I guess this may have been long-term. I think this because I have only never had access to my mail logs or this is the first time I have had to access them.

I just cant believe that my last host didnt pick up on this

Cheers

Hey friend,

I would suggest that your website has been compromised and is being used to send out spam. First, you should block outbound email while you look into this. Run this:

for i in 25 587 465; do iptables -I OUTPUT -p tcp --dport $i -j DROP; done

When you’re ready to unblock later, do this:

for i in 25 587 465; do iptables -D OUTPUT -p tcp --dport $i -j DROP; done

Once you have email blocked, make sure not to panic. A compromised Wordpress site is so incredibly common that you are among friends. It happens, it’s not your fault, almost everyone who uses it has at some point placed trust in someone who let them down. That could be a plugin developer, a theme developer, or perhaps more rarely just that you never updated the base Wordpress. Something was vulnerable and was used to, most likely, upload files to your website that are being used to execute the spam.

There’s no single list of steps that I can give you to resolve it, it’s very relative. What I can do is give you great documentation that can help you to know how to repair it. Check these out:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ https://sucuri.net/guides/how-to-clean-hacked-wordpress https://codex.wordpress.org/FAQ_My_site_was_hacked

I think between the three of those articles, you’re going to have all of the information that you need.

Jarland