Account sending emails from wordpress problem

leonep

• June 13, 2019 02:36

Hi, i have an account sending mails form WP website. example: Event: success success Sender User: xxxx Sender Domain: example.com From Address: xxx@example.net Sender: xxx Sent Time: Jun 13, 2019, 9:13:09 AM Sender Host: localhost Sender IP: 127.0.0.1 Authentication: localuser Spam Score: 3.5 Recipient: 991147195@example.org Delivered To: 991147195@example.org Delivery User: -remote- Delivery Domain: Router: dkim_lookuphost Transport: dkim_remote_smtp Out Time: Jun 13, 2019, 9:13:09 AM ID: 1hbJva-0006fR-1o Delivery Host: mx3.example.org Delivery IP: 203.205.xxx.xx Size: 900 bytes Result: Accepted Path: '/home/xxxx/public_html/wp-admin' Count: 101 emails sent
Sample of the first 10 emails: 2019-06-13 08:20:55 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:31:34 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:31:51 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:32:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:32:26 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:32:37 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:32:48 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:32:59 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:33:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i 2019-06-13 08:33:20 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
Possible Scripts: '/home/xxx/public_html/wp-admin/user-edit.php' '/home/xxx/public_html/wp-admin/user-new.php' '/home/xxx/public_html/wp-admin/install.php' '/home/xxx/public_html/wp-admin/network.php' '/home/xxx/public_html/wp-admin/ms-delete-site.php' '/home/xxx/public_html/wp-admin/comment.php'
I have latest version of Wp and all plugin updated. i changed user password for wp and cpanel. What can i do for this??? thanks

• 

  fuzzylogic

  • June 13, 2019 09:24

  Most likely your website's contact form is being abused due to no captcha, weak spam protection or with challenge answer viewable in the html. If your contact form sends using an ajax request the request will most likely POST to /wp-admin/admin-ajax.php hence the /home/xxx/public_html/wp-admin script location. This spam will be addressed to the website owner in most cases, but some contact forms offer the rather stupid option of sending a copy to yourself, (the spammer addresses this field to the spam victim) I have seen WordPress themes with contact forms that print the website owners address in the html then POST that back to the server to be used for the To: header when constructing the email. (which allows simple automated abuse) The files you listed are all names of legitimate WordPress files, but that does not mean they have not been altered. It is also possible your site is compromised and has other code on it. If you think this is the case install Wordfence free WordPress plugin and run a scan.

  0
• 

  leonep

  • June 13, 2019 09:35

  yes, infact removing contact form mails flow stops . i must find a another more robust contact form plugin thanks

  0
• 

  cPanelLauren

  • June 13, 2019 18:04

  Glad you were able to identify the source of the issue, maybe some others here can give you advice on which contact forms they use for their WordPress installations.

  0

Please sign in to leave a comment.