Learn about Centmin Mod LEMP Stack today
Register Now

Site hacked? - sending out spam

Discussion in 'System Administration' started by GASTAN, Jan 30, 2020.

  1. GASTAN

    GASTAN Member

    81
    11
    8
    Jun 28, 2017
    Ratings:
    +16
    Local Time:
    11:04 AM
    Hi

    I got VPS shut down (nulled networking) at ChicagoVPS.
    They claim my server is sending out SPAM, but wont ever supply any details.
    I have latest 123.09beta01 on Ceston 6.10, all updated/patched.
    Any idea how to monitor outgoing email traffic?
    I have 2 Wordpress sites with 1 contact form emailed a week, and one shopping site with 1 order a month. So sites are not seding much emails.
    lfd anc Cron emails are from root to root, so I dont suppose they leave server.

    thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    how was wordpress installed ? via centmin.sh menu option 22 or manually installed ? what plugins installed for each site ?

    shopping site what script ?

    maybe wordpress plugin was compromised ? which is most likely situation - especially if wordpress wasn't installed via centmin.sh menu option 22 - Differences between Wordpress regular install vs centmin.sh menu option 22 install

    Centmin Mod is provided as is so troubleshooting hacked site or postfix logs is left to you. You could start with your postfix mail log at /var/log/mailog. Centmin Mod installs pflogsumm command which can provide summary of postfix log entries via command
    Code (Text):
    pflogsumm -d today --verbose_msg_detail /var/log/maillog

    also installed is command shortcut alias for the command
    Code (Text):
    postfixlog

    which will run same command for today's log entries

    Or instead of just -d today flag, for all dates remove -d today flag
    Code (Text):
    pflogsumm -d today --verbose_msg_detail /var/log/maillog


    I wouldn't publicly post such output though as it reveals all email addresses for sender and receiver logged by postfix so something for you to privately go through and see if you do not recognise some of the email addresses

    example output
    Code (Text):
    pflogsumm --verbose_msg_detail /var/log/maillog
    
    Grand Totals
    ------------
    messages
    
        142   received
        142   delivered
          0   forwarded
          0   deferred
          0   bounced
          0   rejected (0%)
          0   reject warnings
          0   held
          0   discarded (0%)
    
     160241   bytes received
     160241   bytes delivered
          1   senders
          1   sending hosts/domains
          2   recipients
          2   recipient hosts/domains
    
    
    Per-Day Traffic Summary
    -----------------------
        date          received  delivered   deferred    bounced     rejected
        --------------------------------------------------------------------
        Jan 26 2020        36         36
        Jan 27 2020        41         41
        Jan 28 2020        27         27
        Jan 29 2020        38         38
    
    Per-Hour Traffic Daily Average
    ------------------------------
        time          received  delivered   deferred    bounced     rejected
        --------------------------------------------------------------------
        0000-0100           3          3          0          0          0
        0100-0200           1          1          0          0          0
        0200-0300           2          2          0          0          0
        0300-0400           1          1          0          0          0
        0400-0500           1          1          0          0          0
        0500-0600           2          2          0          0          0
        0600-0700           1          1          0          0          0
        0700-0800           2          2          0          0          0
        0800-0900           1          1          0          0          0
        0900-1000           2          2          0          0          0
        1000-1100           2          2          0          0          0
        1100-1200           2          2          0          0          0
        1200-1300           2          2          0          0          0
        1300-1400           2          2          0          0          0
        1400-1500           1          1          0          0          0
        1500-1600           1          1          0          0          0
        1600-1700           2          2          0          0          0
        1700-1800           2          2          0          0          0
        1800-1900           2          2          0          0          0
        1900-2000           1          1          0          0          0
        2000-2100           1          1          0          0          0
        2100-2200           2          2          0          0          0
        2200-2300           2          2          0          0          0
        2300-2400           3          3          0          0          0
    
    Host/Domain Summary: Message Delivery
    --------------------------------------
     sent cnt  bytes   defers   avg dly max dly host/domain
     -------- -------  -------  ------- ------- -----------
        137   156436        0     0.0 s    0.0 s  host.domain.com
          5     3805        0     0.4 s    0.5 s  domain.com
    
    Host/Domain Summary: Messages Received
    ---------------------------------------
     msg cnt   bytes   host/domain
     -------- -------  -----------
        142   160241   host.domain.com
    
    Senders by message count
    ------------------------
        142   [email protected]
    
    Recipients by message count
    ---------------------------
        137   [email protected]
          5   [email protected]
    
    Senders by message size
    -----------------------
     160241   [email protected]
    
    Recipients by message size
    --------------------------
     156436   [email protected]
       3805   [email protected]
    
    message deferral detail: none
    
    message bounce detail (by relay): none
    
    message reject detail: none
    
    message reject warning detail: none
    
    message hold detail: none
    
    message discard detail: none
    
    smtp delivery failures: none
    
    Warnings: none
    
    Fatal Errors: none
    
    Panics: none
    
    Master daemon messages: none

    /var/log/mailog gets auto rotated so may not contain all postfix log dates so change the log name that pflogsumm analyses
    Code (Text):
    ls -lahrt /var/log/ | grep maillog
    -rw-------   1 root     root             16M Jan  5 03:24 maillog-20200105
    -rw-------   1 root     root            405M Jan 12 02:22 maillog-20200112
    -rw-------   1 root     root            180K Jan 19 02:50 maillog-20200119
    -rw-------   1 root     root            149K Jan 26 03:23 maillog-20200126
    -rw-------   1 root     root             80K Jan 29 22:10 maillog
    

    Code (Text):
    pflogsumm --verbose_msg_detail /var/log/maillog-20200126

    or use wildcard for all mail logs
    Code (Text):
    pflogsumm --verbose_msg_detail /var/log/maillog*

    but note using wildcard can use up alot of temp disk space processing the logs, so maybe start with individual log files.
     
    Last edited: Jan 30, 2020
  3. GASTAN

    GASTAN Member

    81
    11
    8
    Jun 28, 2017
    Ratings:
    +16
    Local Time:
    11:04 AM
    Code:
    Grand Totals
    ------------
    messages
    
         42   received
         42   delivered
          0   forwarded
          0   deferred
          2   bounced
          0   rejected (0%)
          0   reject warnings
          0   held
          0   discarded (0%)
    
       1145k  bytes received
       1150k  bytes delivered
         22   senders
          3   sending hosts/domains
         21   recipients
          3   recipient hosts/domains
    
    
    Per-Hour Traffic Summary
        time          received  delivered   deferred    bounced     rejected
        --------------------------------------------------------------------
        0000-0100           0          0          0          0          0
        0100-0200           2          2          0          0          0
        0200-0300           0          0          0          0          0
        0300-0400           0          0          0          0          0
        0400-0500           0          0          0          0          0
        0500-0600           0          0          0          0          0
        0600-0700           2          2          0          0          0
        0700-0800          26         26          0          1          0
        0800-0900           8          8          0          1          0
        0900-1000           0          0          0          0          0
        1000-1100           0          0          0          0          0
        1100-1200           0          0          0          0          0
        1200-1300           0          0          0          0          0
        1300-1400           0          0          0          0          0
        1400-1500           0          0          0          0          0
        1500-1600           1          1          0          0          0
        1600-1700           0          0          0          0          0
        1700-1800           0          0          0          0          0
        1800-1900           0          0          0          0          0
        1900-2000           0          0          0          0          0
        2000-2100           3          3          0          0          0
        2100-2200           0          0          0          0          0
        2200-2300           0          0          0          0          0
        2300-2400           0          0          0          0          0
    
    Host/Domain Summary: Message Delivery
     sent cnt  bytes   defers   avg dly max dly host/domain
     -------- -------  -------  ------- ------- -----------
         37     1097k       0    21.0 s   22.0 s  gmail.com
          3     1915        0     0.4 s    1.1 s  cvps01(my server)
          2    52403        0     2.5 s    3.3 s  digitalfall.ga
    
    Host/Domain Summary: Messages Received
     msg cnt   bytes   host/domain
     -------- -------  -----------
         36     1072k  gmail.com
          4    22350   cvps01(my server)
          2    52403   [email protected](my shop)
    
    Senders by message count
    ------------------------
         18   <MY_EMAIL>@gmail.com
          3   [email protected](my server)
          2   [email protected](my shop)
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected](my server)
    
    Recipients by message count
    ---------------------------
         20   <MY_EMAIL>@gmail.com
          3   [email protected](my server)
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   <MY_EMAIL2>@gmail.com
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
          1   [email protected]
    
    Senders by message size
    -----------------------
        541k  <MY_EMAIL>@gmail.com
      52403   [email protected](my shop)
      30835   [email protected]
      30429   [email protected]
      30350   [email protected]
      30320   [email protected]
      30278   [email protected]
      30270   [email protected]
      30265   [email protected]
      30210   [email protected]
      30199   [email protected]
      30190   [email protected]
      30167   [email protected]
      30167   [email protected]
      30083   [email protected]
      30075   [email protected]
      30046   [email protected]
      30037   [email protected]
      29990   [email protected]
      29960   [email protected]
      20435   [email protected](my server)
       1915   [email protected](my server)
    
    Recipients by message size
    --------------------------
        595k  <MY_EMAIL>@gmail.com
      31432   [email protected]
      31054   [email protected]
      30958   [email protected]
      30912   [email protected]
      30895   [email protected]
      30871   [email protected]
      30857   [email protected]
      30804   [email protected]
      30797   [email protected]
      30795   [email protected]
      30794   [email protected]
      30781   [email protected]
      30688   [email protected]
      30683   [email protected]
      30656   [email protected]
      30575   [email protected]
      26203   [email protected]
      26200   [email protected]
      20435   <MY_EMAIL2>@gmail.com
       1915   [email protected](my server)
    
    message deferral detail: none
    
    message bounce detail (by relay)
    --------------------------------
      gmail-smtp-in.l.google.com[172.217.212.26]:25 (total: 2)
             1   host gmail-smtp-in.l.google.com[172.217.212.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser h9si1009469jaq.62 - gsmtp (in reply to RCPT TO command)
             1   host gmail-smtp-in.l.google.com[172.217.212.26] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1  https://support.google.com/mail/?p=NoSuchUser n12si990760ioo.83 - gsmtp (in reply to RCPT TO command)
    
    message reject detail: none
    
    message reject warning detail: none
    
    message hold detail: none
    
    message discard detail: none
    
    smtp delivery failures: none
    
    Warnings
    --------
      smtp (total: 2)
             2   numeric domain name in resource data of MX record for digitalfall.ga: 192.236.177.38
    
    Fatal Errors: none
    
    Panics: none
    
    Master daemon messages: none
    
    I dont know most of the emails, so it mus be some spammy shuff.
    Shop is PrestaShop...
    WP was installed by CM, but long time ago. Prod ver (8) which did not have menu option at that time, all was scripted and all the sample Plugins were installed (Sucuri alert and Limit Login Atempts)
    Got email site is down around 5am (CST), so I guess Chicago cut site down after 9am UMT, cause there is zero emails after. They cut us for for 34 emails in two hours?
    0700-0800 26 26 0 1 0
    0800-0900 8 8 0 1 0

    Last incident was on 15th, so I am gonna try to check logs from that time, if they are still around.
    Any way to figure out what was emailing?
     
  4. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    yeah in that case you probably are sending out spam
    installing and configuring auditd https://community.centminmod.com/th...td-support-added-in-latest-123-09beta01.9071/ would of helped but once they null route you, you wouldn't have net access to installl it now to inspect new outbound emails

    but you'd also need to understand how to use and read auditd logs as well

    Centmin Mod 123.09beta01 and newer also have cminfo netstat command https://community.centminmod.com/threads/update-cminfo-command-with-netstat-flag-option.14468/ which reports inbound/outbound connection info so if you have alot of outbound connections, it may reveal some info or outbound IPs too
    Code (Text):
    cminfo netstat

    again output has sensitive info for both server and visitor and even your SSH log in IP displayed, so something for private consumption only and not for publicly posting on forums etc. Though I try my best to mask SSH log in IP but it doesn't always work https://community.centminmod.com/th...nd-with-netstat-flag-option.14468/#post-62211

    You can also enable PHP mail.add_x_header = On which is disabled by default by using following commands to create a custom php ini setting override file at /etc/centminmod/php.d/zzz-mailxheader.ini
    Code (Text):
    echo -e 'mail.add_x_header = On\nmail.log = /var/log/php-sent-emails.log' > /etc/centminmod/php.d/zzz-mailxheader.ini
    fpmrestart
    php -i | egrep 'x_header|mail.log'
    

    The created /etc/centminmod/php.d/zzz-mailxheader.ini contents which override php.ini settings default would be
    Code (Text):
    mail.add_x_header = On
    mail.log = /var/log/php-sent-emails.log
    

    The php info grep would now show it enabled and php sent emails will be logged
    Code (Text):
    php -i | egrep 'x_header|mail.log'
    mail.add_x_header => On => On
    mail.log => /var/log/php-sent-emails.log => /var/log/php-sent-emails.log
    

    PHP: Runtime Configuration - Manual
    X-PHP-Originating-Script would be included in sent emails headers identifying the PHP script it was sent from in theory.

    Using example php script named phptest1.php
    Code (Text):
    <?php
        ini_set('display_errors', 1);
        error_reporting(-1);
        mail ('[email protected]', 'Postfix Test', 'A test email') || print_r(error_get_last());
    ?>

    the receivers email address would contain the header
    Code (Text):
    Subject: Postfix Test
    X-PHP-Originating-Script: 0:phptest1.php
    

    And php-sent-emails.log log would contain
    Code (Text):
    cat /var/log/php-sent-emails.log
    [29-Jan-2020 23:22:41 UTC] mail() on [/path/to/phptest1.php:4]: To: [email protected] -- Headers:  -- Subject: Postfix Test
    

    After testing etc, you may want to turn off mail.add_x_header = Off in /etc/centminmod/php.d/zzz-mailxheader.ini and restart php-fpm service and depending on your choice leave mail.log enabled or commented out. Note all PHP script sent emails will be logged so could grow the log file dramatically as would disk space.

    So after diagnostic analysis your /etc/centminmod/php.d/zzz-mailxheader.ini would become
    Code (Text):
    mail.add_x_header = Off
    #mail.log = /var/log/php-sent-emails.log
    
     
    Last edited: Jan 30, 2020
  5. GASTAN

    GASTAN Member

    81
    11
    8
    Jun 28, 2017
    Ratings:
    +16
    Local Time:
    11:04 AM
    cool, thx
    I have enabled PHP logging

    cminfo netstats returned:
    Code:
    sudo cminfo netstat
    sed: -e expression #1, char 0: no previous regular expression
    sed: -e expression #1, char 0: no previous regular expression
    ------------------------------------------------------------------
     Centmin Mod Netstat Info:
    ------------------------------------------------------------------
    
    Network Bandwidth In/Out (KB/s):
    venet0  In:  0.04  Out:  0.00
    
    Network Packets   In/Out (pps):
    venet0  In:  1.00  Out:  1.00
    
    Total Connections For:
    Port 80:   80
    Port 443:  80
    
    Unique IP Connections For:
    Port 80:   79
    Port 443:  79
    
    Established Connections For:
    Port 80:   0
    Port 443:  0
    
    TIME_WAIT Connections For:
    Port 80:   79
    Port 443:  0
    
    Top IP Address Connections:
    
    
    Top Outbound Connections:
    
    
    Top CSF Firewall Denied Country Codes:
    48  CN
    27  US
    20  FR
    9   BR
    8   IT
    7   RU
    7   IN
    6   VN
    6   GB
    6   DE
    
    Top CSF Firewall Denied Country Codes + Reverse Lookups:
    44  CN  China      -
    16  US  United     States                   -
    5   RU  Russia     -
    5   KR  Republic   of                       Korea  -
    4   IN  India      -
    4   HK  Hong       Kong                     -
    3   ZA  South      Africa                   -
    3   VN  Vietnam    -
    3   SG  Singapore  -
    3   CN  China      promote.cache-dns.local
    
    Top CSF Firewall Denied Distributed sshd Attacks:
    25  CN  China     -
    5   US  United    States                   -
    4   IN  India     -
    3   VN  Vietnam   -
    3   KR  Republic  of                       Korea  -
    3   HK  Hong      Kong                     -
    3   CN  China     promote.cache-dns.local
    2   TH  Thailand  -
    2   BR  Brazil    -
    1   ZA  South     Africa                   -
    
    Top CSF Firewall Denied Distributed sshd Attacks Target Usernames:
    83  root
    6   admin
    4   test
    3   mqm
    2   mysql
    1   user
    1   tomcat
    
    Top CSF Firewall Failed SSH Logins:
    19  CN  China      -
    11  US  United     States  -
    4   RU  Russia     -
    3   SG  Singapore  -
    2   ZA  South      Africa  -
    2   KR  Republic   of      Korea                                  -
    2   DE  Germany    -
    1   US  United     States  server.mutigroup.com
    1   US  United     States  mail.pin-upgirls.com
    1   US  United     States  ip-132-148-157-96.ip.secureserver.net
    
    Last 24hrs Top CSF Firewall Denied Country Codes:
    
    
    Last 24hrs Top CSF Firewall Denied Country Codes + Reverse Lookups:
    
    
    Last 24hrs Top CSF Firewall Denied Distributed sshd Attacks:
    
    
    Last 24hrs Top CSF Firewall Failed SSH Logins:
    
    I dont see nothing special there. Will check on auditd
     
  6. GASTAN

    GASTAN Member

    81
    11
    8
    Jun 28, 2017
    Ratings:
    +16
    Local Time:
    11:04 AM
    well, there is nothing (except test) in PHP log, but I got nulled again today :(

    what does deferred mean?
    why is it going via my server?
    my 25 port is not enabled.
    should I stop SMTP server? Then I guess I wont be able to send out emails?
    Can I maybe just disable deferring?

    Code:
    sudo pflogsumm -d yesterday --verbose_msg_detail /var/log/maillog
    Postfix log summaries for Feb  4
    
    Grand Totals
    ------------
    messages
    
          4   received
          2   delivered
          0   forwarded
          7   deferred  (329  deferrals)
          0   bounced
          0   rejected (0%)
          0   reject warnings
          0   held
          0   discarded (0%)
    
      99188   bytes received
      46721   bytes delivered
          2   senders
          2   sending hosts/domains
          2   recipients
          2   recipient hosts/domains
    
    
    Per-Hour Traffic Summary
        time          received  delivered   deferred    bounced     rejected
        --------------------------------------------------------------------
        0000-0100           0          0         12          0          0
        0100-0200           0          0         12          0          0
        0200-0300           0          0         12          0          0
        0300-0400           0          0         12          0          0
        0400-0500           0          0         12          0          0
        0500-0600           0          0         12          0          0
        0600-0700           0          0         12          0          0
        0700-0800           0          1         10          0          0
        0800-0900           0          0          9          0          0
        0900-1000           0          0          9          0          0
        1000-1100           0          0          9          0          0
        1100-1200           0          0          9          0          0
        1200-1300           0          0          9          0          0
        1300-1400           2          0         15          0          0
        1400-1500           1          1         15          0          0
        1500-1600           0          0         15          0          0
        1600-1700           1          0         19          0          0
        1700-1800           0          0         18          0          0
        1800-1900           0          0         18          0          0
        1900-2000           0          0         18          0          0
        2000-2100           0          0         18          0          0
        2100-2200           0          0         18          0          0
        2200-2300           0          0         18          0          0
        2300-2400           0          0         18          0          0
    
    Host/Domain Summary: Message Delivery
     sent cnt  bytes   defers   avg dly max dly host/domain
     -------- -------  -------  ------- ------- -----------
          1    26236       22    15.6 h   15.6 h  electrogor.ru
          1    20485        0    21.0 s   21.0 s  gmail.com
          0        0      249     0.0 s  105.2 h  web.de
          0        0       25     0.0 s    7.6 h  yahoo.com
          0        0       33     0.0 s   10.3 h  t-online.de
    
    Host/Domain Summary: Messages Received
     msg cnt   bytes   host/domain
     -------- -------  -----------
          3    78703   webshop.domain
          1    20485   vps.name
    
    Senders by message count
    ------------------------
          3   [email protected]
          1   [email protected]
    
    Recipients by message count
    ---------------------------
          1   [email protected]
          1   [email protected]
    
    Senders by message size
    -----------------------
      78703   [email protected]
      20485   [email protected]
    
    Recipients by message size
    --------------------------
      26236   [email protected]
      20485   [email protected]
    
    message deferral detail
    -----------------------
      smtp (total: 329)
            76   Host or domain name not found. Name service error for name=web.de type=MX: Host not found, try again
            24   host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb110
            24   host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb112
            24   host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb013
            21   host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb113
            20   host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb011
            20   host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb012
            20   host mx-ha02.web.de[212.227.17.8] refused to talk to me: 554-web.de (mxweb111
            20   host mx-ha03.web.de[212.227.15.17] refused to talk to me: 554-web.de (mxweb010
            19   Host or domain name not found. Name service error for name=yahoo.com type=MX: Host not found, try again
            19   Host or domain name not found. Name service error for name=t-online.de type=MX: Host not found, try again
             6   host mx.yandex.ru[87.250.250.89] said: 450 4.2.1 The recipient has exceeded message rate limit. Try again later. (in reply to RCPT TO command
             6   host mx.yandex.ru[77.88.21.89] said: 450 4.2.1 The recipient has exceeded message rate limit. Try again later. (in reply to RCPT TO command
             5   host mx01.t-online.de[194.25.134.72] refused to talk to me: 554 IP=108.174.49.43 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.
             4   host mx03.t-online.de[194.25.134.73] refused to talk to me: 554 IP=108.174.49.43 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.
             4   host mx.yandex.ru[93.158.134.89] said: 450 4.2.1 The recipient has exceeded message rate limit. Try again later. (in reply to RCPT TO command
             3   host mx.yandex.ru[213.180.204.89] said: 450 4.2.1 The recipient has exceeded message rate limit. Try again later. (in reply to RCPT TO command
             3   host mx00.t-online.de[194.25.134.8] refused to talk to me: 554 IP=108.174.49.43 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.
             3   host mx.yandex.ru[213.180.193.89] said: 450 4.2.1 The recipient has exceeded message rate limit. Try again later. (in reply to RCPT TO command
             2   host mx02.t-online.de[194.25.134.9] refused to talk to me: 554 IP=108.174.49.43 - A problem occurred. (Ask your postmaster for help or to contact [email protected] to clarify.
             2   host mta5.am0.yahoodns.net[98.136.96.91] said: 450 User is receiving mail too quickly tnmpmscs (in reply to RCPT TO command
             1   host mta7.am0.yahoodns.net[67.195.228.110] said: 450 User is receiving mail too quickly tnmpmscs (in reply to RCPT TO command
             1   host mta7.am0.yahoodns.net[67.195.204.73] said: 450 User is receiving mail too quickly tnmpmscs (in reply to RCPT TO command
             1   host mta6.am0.yahoodns.net[67.195.228.110] said: 450 User is receiving mail too quickly tnmpmscs (in reply to RCPT TO command
             1   host mta7.am0.yahoodns.net[67.195.228.111] said: 450 User is receiving mail too quickly tnmpmscs (in reply to RCPT TO command
    
    message bounce detail (by relay): none
    
    message reject detail: none
    
    message reject warning detail: none
    
    message hold detail: none
    
    message discard detail: none
    
    smtp delivery failures: none
    
    Warnings: none
    
    Fatal Errors: none
    
    Panics: none
    
    Master daemon messages: none
    

    Code:
     telnet
    telnet> o localhost 25
    Trying ::1...
    Connected to localhost.
    Escape character is '^]'.
    220 vps.name ESMTP
    
     
  7. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    https://serverfault.com/questions/443510/how-to-stop-deferred-emails

    probably deferred as you've been null routed so network connectivity isn't available or your VPS server IP has been listed in spam blacklist databases now so receiving end mail servers are rejecting your emails i.e. 'refused to talk to me:' messages.

    if you setup php mail logging correctly, and don't see anything logged, then either spam is being sent out via php with a function other than mail functions and/or spam being sent out using something other than php scripts.

    You'll have to figure that on your own end then.
     
  8. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    the email in your postfixlog output shows wordpress spam https://cleantalk.org/blacklists/[email protected] spam report so probably focus on wordpress site to see if you're been compromised at wordpress level i.e. bad/insecure wordpress plugins and/or themes

    i.e. bad 3rd party wordpress contact form plugins etc
     
  9. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Centmin Mod 123.09beta01 centmin.sh menu option 22 wordpress installs also install Sucuri Wordpress plugin by default which has file integrity scanner which you can run to check wordpress files - it will also report files it doesn't recognise i.e. centmin mod default html files or your own, so you can see what you recognise or not. See screenshots at https://community.centminmod.com/th...l-vs-centmin-sh-menu-option-22-install.15435/. If you installed wordpress before 123.09beta01 had auto installed Sucuri wordpress then you can get it at https://en-au.wordpress.org/plugins/sucuri-scanner/
     
  10. eva2000

    eva2000 Administrator Staff Member

    43,132
    9,792
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,122
    Local Time:
    8:04 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  11. GASTAN

    GASTAN Member

    81
    11
    8
    Jun 28, 2017
    Ratings:
    +16
    Local Time:
    11:04 AM
    it was most likely contact form in PrestaShop
    I removed it, disabled local SMTP and Wordpress emailing is done via zoho free

    thx