how to redirect account-generated emails

[dev.null]

I have an account that hosts wordpress, which has been compromised. It keeps sending out spam emails. The "nice" thing is the emails are from the hosting account address (i.e. account@hosting.server.com), and not from a fictitious account or another real account on the hosted website.

Is there a quick rule I can put in exim that would either (a) delete/ignore any emails or (b) redirect the emails to another account for examination?

Thanks!

[cPanelTristan]

I certainly couldn't advise deleting or ignoring spam emails that your compromised site is sending. It seems you would want to be aware any account is compromised and be checking the emails it is spamming out. That's part of server administration.

Next, why do the emails need to be redirected to another account rather than using the default user of that account's email? You could always use the SMTP authentication plugin for wordpress to have any account used for sending that you log into on the server. Under SMTP authentication, the emails should be sent by the user who authenticates. Here is a link to that plugin:

WordPress › WP Mail SMTP « WordPress Plugins

[dev.null]

I certainly couldn't advise deleting or ignoring spam emails that your compromised site is sending. It seems you would want to be aware any account is compromised and be checking the emails it is spamming out. That's part of server administration.

You're 100% right - that's why I'd prefer to have them sent to an email address I can monitor and not have them sent out "for real".

Next, why do the emails need to be redirected to another account rather than using the default user of that account's email?

I'm not really understanding your question. The default account is not *receiving* the emails, it's the one *sending* the spam. So I'm not really interested in the *inbound* email going to that account, I'm interested in the *outbound* spam that it's sending.

If I'm not understanding what you're saying, please do take the time to clarify.

You could always use the SMTP authentication plugin for wordpress to have any account used for sending that you log into on the server. Under SMTP authentication, the emails should be sent by the user who authenticates. Here is a link to that plugin:

WordPress › WP Mail SMTP « WordPress Plugins

Most compromised wordpress installs don't send email through the existing wordpress code. Most of them use wordpress to setup their own send_email.php type script that they call directly, outside of wordpress, to send emails. Such is this case.

[ruzbehraja]

Based on what I have understood:
A WP site is receiving junk enquiries / spam posts through the forms or is sending out mail through a compromised mailing script.

Solution:
You need to disable sending through the 'nobody' user on your server.

WHM >> Tweak Settings >> Mail >> Prevent “nobody” from sending mail.


This will require all users on your server to use SMTP Authentication (use a valid email id and password to send mail). Any user that does not use SMTP Authentication, their form submissions will be forwarded to the root address and the message will be discarded.

But do note that if the site is compromised, the root address will be flooded with junk mail.

You should be seriously looking at plugging the vulnerabilities too.

Hope this is what you wanted.