Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Account sending emails from wordpress problem

Discussion in 'E-mail Discussion' started by leonep, Jun 13, 2019.

  1. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    111
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    Hi,
    i have an account sending mails form WP website.

    example:
    Code:
    Event: success success
    Sender User: xxxx
    Sender Domain: example.com
    From Address: [email protected]
    Sender: xxx
    Sent Time: Jun 13, 2019, 9:13:09 AM
    Sender Host: localhost
    Sender IP: 127.0.0.1
    Authentication: localuser
    Spam Score: 3.5
    Recipient: [email protected]
    Delivered To: [email protected]
    Delivery User: -remote-
    Delivery Domain:
    Router: dkim_lookuphost
    Transport: dkim_remote_smtp
    Out Time: Jun 13, 2019, 9:13:09 AM
    ID: 1hbJva-0006fR-1o
    Delivery Host: mx3.example.org
    Delivery IP: 203.205.xxx.xx
    Size: 900 bytes
    Result: Accepted
    
    Path: '/home/xxxx/public_html/wp-admin'
    Count: 101 emails sent
    
    Sample of the first 10 emails:
    Code:
    2019-06-13 08:20:55 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:31:34 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:31:51 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:32:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:32:26 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:32:37 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:32:48 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:32:59 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:33:09 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    2019-06-13 08:33:20 cwd=/home/xxx/public_html/wp-admin 4 args: /usr/sbin/sendmail -odb -t -i
    
    Possible Scripts:
    Code:
    '/home/xxx/public_html/wp-admin/user-edit.php'
    '/home/xxx/public_html/wp-admin/user-new.php'
    '/home/xxx/public_html/wp-admin/install.php'
    '/home/xxx/public_html/wp-admin/network.php'
    '/home/xxx/public_html/wp-admin/ms-delete-site.php'
    '/home/xxx/public_html/wp-admin/comment.php'
    
    I have latest version of Wp and all plugin updated. i changed user password for wp and cpanel. What can i do for this??? thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 leonep, Jun 13, 2019
    Last edited by a moderator: Jun 13, 2019
  2. fuzzylogic

    fuzzylogic Well-Known Member

    Joined:
    Nov 8, 2014
    Messages:
    131
    Likes Received:
    76
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Most likely your website's contact form is being abused due to no captcha, weak spam protection or with challenge answer viewable in the html.

    If your contact form sends using an ajax request the request will most likely POST to /wp-admin/admin-ajax.php
    hence the /home/xxx/public_html/wp-admin script location.

    This spam will be addressed to the website owner in most cases, but some contact forms offer the rather stupid option of sending a copy to yourself, (the spammer addresses this field to the spam victim)

    I have seen WordPress themes with contact forms that print the website owners address in the html then POST that back to the server to be used for the To: header when constructing the email. (which allows simple automated abuse)

    The files you listed are all names of legitimate WordPress files, but that does not mean they have not been altered.
    It is also possible your site is compromised and has other code on it. If you think this is the case install Wordfence free WordPress plugin and run a scan.
     
    cPanelLauren and Infopro like this.
  3. leonep

    leonep Well-Known Member

    Joined:
    Nov 18, 2014
    Messages:
    111
    Likes Received:
    3
    Trophy Points:
    18
    Location:
    Pescara
    cPanel Access Level:
    Root Administrator
    yes , infact removing contact form mails flow stops . i must find a another more robust contact form plugin
    thanks
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. cPanelLauren

    cPanelLauren Forums Analyst II Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    6,476
    Likes Received:
    507
    Trophy Points:
    263
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Glad you were able to identify the source of the issue, maybe some others here can give you advice on which contact forms they use for their WordPress installations.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice