mail issue in logs

December 11, 2018 851 views
Ubuntu 18.04 Apache WordPress

Just migrated to DO with a multisite wordpress/woocommerce and have noticed some issues in my syslog

“host mx-aol.mail.gm0.yahoodns.net[98.136.101.116] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)
Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2255]: 8DA29407AB: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.101.116] while sending RCPT TO
Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2256]: 56114407A7: host mta5.am0.yahoodns.net[67.195.229.58] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)”

I have deleted all users who are spam and have not registered as woocommerce customers but my stack is still trying to send out emails to people

Any ideas what could be causing this

3 Answers

Hey friend,

I would suggest that your website has been compromised and is being used to send out spam. First, you should block outbound email while you look into this. Run this:

for i in 25 587 465; do iptables -I OUTPUT -p tcp --dport $i -j DROP; done

When you’re ready to unblock later, do this:

for i in 25 587 465; do iptables -D OUTPUT -p tcp --dport $i -j DROP; done

Once you have email blocked, make sure not to panic. A compromised Wordpress site is so incredibly common that you are among friends. It happens, it’s not your fault, almost everyone who uses it has at some point placed trust in someone who let them down. That could be a plugin developer, a theme developer, or perhaps more rarely just that you never updated the base Wordpress. Something was vulnerable and was used to, most likely, upload files to your website that are being used to execute the spam.

There’s no single list of steps that I can give you to resolve it, it’s very relative. What I can do is give you great documentation that can help you to know how to repair it. Check these out:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
https://sucuri.net/guides/how-to-clean-hacked-wordpress
https://codex.wordpress.org/FAQ_My_site_was_hacked

I think between the three of those articles, you’re going to have all of the information that you need.

Jarland

OK thanks, I will let you know how I get on, and thanks very much for all the information and links. I am currently deep scanning my site with Wordfence and will run at least 3 different plugins on it and see what happens. I have deleted all plugins that I wasnt using and also deleted a few themes that were not being used

I cant really scan via SSH for changed files as I guess this may have been long-term. I think this because I have only never had access to my mail logs or this is the first time I have had to access them.

I just cant believe that my last host didnt pick up on this

Cheers

I have fully scanned using WORDfence, GOMIS?? and sucuri and nothing has found anything, yet my mail logs are still sending out spam

OH DEAR

  • Let’s assume you’re running Apache on Ubuntu, but know that the log file and location is going to vary on anything else. In that assumption, here’s what I’d be running:

    tail -f /var/log/apache2/access.log | grep “POST”

    What I’m assuming here is that someone is pushing emails through a PHP script on the site, and to do so they’re making a POST request to something on the site. Most people don’t have floods of POST requests unless there’s a spam-like event going on. So if you see a flood of people making POST requests to a file, I’d bet money that this file is the one responsible.

    • ter running your tail on access log and clearing the mail queue I think I might have defeated it and my server appears not to be seding out anymore spams

      Thanks to everyone on here.

      I will endeavor to help other people when ever a can

      I might write an updated article about moving a wordpress/woocommerce multisite installation in to DO and configuring all Lets encrypt certs with Apache confs etc.

Have another answer? Share your knowledge.