Just migrated to DO with a multisite wordpress/woocommerce and have noticed some issues in my syslog
“host mx-aol.mail.gm0.yahoodns.net[98.136.101.116] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command) Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2255]: 8DA29407AB: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.101.116] while sending RCPT TO Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2256]: 56114407A7: host mta5.am0.yahoodns.net[67.195.229.58] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)”
I have deleted all users who are spam and have not registered as woocommerce customers but my stack is still trying to send out emails to people
Any ideas what could be causing this
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hey friend,
I would suggest that your website has been compromised and is being used to send out spam. First, you should block outbound email while you look into this. Run this:
for i in 25 587 465; do iptables -I OUTPUT -p tcp --dport $i -j DROP; done
When you’re ready to unblock later, do this:
for i in 25 587 465; do iptables -D OUTPUT -p tcp --dport $i -j DROP; done
Once you have email blocked, make sure not to panic. A compromised Wordpress site is so incredibly common that you are among friends. It happens, it’s not your fault, almost everyone who uses it has at some point placed trust in someone who let them down. That could be a plugin developer, a theme developer, or perhaps more rarely just that you never updated the base Wordpress. Something was vulnerable and was used to, most likely, upload files to your website that are being used to execute the spam.
There’s no single list of steps that I can give you to resolve it, it’s very relative. What I can do is give you great documentation that can help you to know how to repair it. Check these out:
https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ https://sucuri.net/guides/how-to-clean-hacked-wordpress https://codex.wordpress.org/FAQ_My_site_was_hacked
I think between the three of those articles, you’re going to have all of the information that you need.
Jarland
OK thanks, I will let you know how I get on, and thanks very much for all the information and links. I am currently deep scanning my site with Wordfence and will run at least 3 different plugins on it and see what happens. I have deleted all plugins that I wasnt using and also deleted a few themes that were not being used
I cant really scan via SSH for changed files as I guess this may have been long-term. I think this because I have only never had access to my mail logs or this is the first time I have had to access them.
I just cant believe that my last host didnt pick up on this
Cheers
I have fully scanned using WORDfence, GOMIS?? and sucuri and nothing has found anything, yet my mail logs are still sending out spam
OH DEAR
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.