Question

mail issue in logs

Just migrated to DO with a multisite wordpress/woocommerce and have noticed some issues in my syslog

“host mx-aol.mail.gm0.yahoodns.net[98.136.101.116] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command) Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2255]: 8DA29407AB: lost connection with mx-aol.mail.gm0.yahoodns.net[98.136.101.116] while sending RCPT TO Dec 11 12:24:16 lamp-s-1vcpu-1gb-lon1-01 postfix/smtp[2256]: 56114407A7: host mta5.am0.yahoodns.net[67.195.229.58] said: 421 4.7.0 [TSS04] Messages from 178.62.110.117 temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html (in reply to MAIL FROM command)”

I have deleted all users who are spam and have not registered as woocommerce customers but my stack is still trying to send out emails to people

Any ideas what could be causing this

Show comments

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

I have fully scanned using WORDfence, GOMIS?? and sucuri and nothing has found anything, yet my mail logs are still sending out spam

OH DEAR

OK thanks, I will let you know how I get on, and thanks very much for all the information and links. I am currently deep scanning my site with Wordfence and will run at least 3 different plugins on it and see what happens. I have deleted all plugins that I wasnt using and also deleted a few themes that were not being used

I cant really scan via SSH for changed files as I guess this may have been long-term. I think this because I have only never had access to my mail logs or this is the first time I have had to access them.

I just cant believe that my last host didnt pick up on this

Cheers

Hey friend,

I would suggest that your website has been compromised and is being used to send out spam. First, you should block outbound email while you look into this. Run this:

for i in 25 587 465; do iptables -I OUTPUT -p tcp --dport $i -j DROP; done

When you’re ready to unblock later, do this:

for i in 25 587 465; do iptables -D OUTPUT -p tcp --dport $i -j DROP; done

Once you have email blocked, make sure not to panic. A compromised Wordpress site is so incredibly common that you are among friends. It happens, it’s not your fault, almost everyone who uses it has at some point placed trust in someone who let them down. That could be a plugin developer, a theme developer, or perhaps more rarely just that you never updated the base Wordpress. Something was vulnerable and was used to, most likely, upload files to your website that are being used to execute the spam.

There’s no single list of steps that I can give you to resolve it, it’s very relative. What I can do is give you great documentation that can help you to know how to repair it. Check these out:

https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/ https://sucuri.net/guides/how-to-clean-hacked-wordpress https://codex.wordpress.org/FAQ_My_site_was_hacked

I think between the three of those articles, you’re going to have all of the information that you need.

Jarland