LFD mail relay emails... Tons of them

J

jim.thornton

Verified User
Joined
Jan 1, 2008
Messages
334
I've been getting a ton of mail relay messages. The user mentioned in the logs is running Joomla. I have since installed a Captcha on her contact page so that external scripts can't send mass emails through her contact form. However, I'm still getting a ton of these emails.

I don't know how to check how many emails have been sent out. It seems that DA is only reporting the amount that were sent up to yesterday and doesn't include today. However, I have DA set to block emails at 100 emails per day. Yet, again, I'm still getting these LFD alerts.

Please check out my error log: http://pastebin.com/TrncieZS

Could someone please tell me how to stop this? I went to a website to test it but the test couldn't go through because it said port 25 is closed. Which I setup that was because I thought it would avoid this issue.

Please advise. Any help is greatly appreciated.
 
Well... the paste has been removed so we can't see anything there. You can also copy and paste a piece of the log in here between code or quote tags.

However, a contact page is not the only thing on a Joomla installation via which abusive persons can send mass emails.
The problem can also be caused by a leak script or even a problematic theme.

So what you want to do is to find out exactly which php file/script is causing the problem. You have to check your logs for that.
Also you might want to add the following in your /etc/exim.conf in the "log_selector" part, if not present already:
Code: 
+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

I presume you're already using mod_ruid2 or suphp?
 
Richard G said:
Well... the paste has been removed so we can't see anything there. You can also copy and paste a piece of the log in here between code or quote tags.

However, a contact page is not the only thing on a Joomla installation via which abusive persons can send mass emails.
The problem can also be caused by a leak script or even a problematic theme.

So what you want to do is to find out exactly which php file/script is causing the problem. You have to check your logs for that.
Also you might want to add the following in your /etc/exim.conf in the "log_selector" part, if not present already:
Code: 
+connection_reject \
+address_rewrite \
+all_parents \
+arguments \

I presume you're already using mod_ruid2 or suphp?
Click to expand...

Thank you! I'm not sure why the paste expired, I thought I chose 1 week, but I must have chosen 1 day.

But, that's okay... I read some more and saw that if you go to the Bandwidth usage section and then click on Email usage that it shows the script in the bottom of the screen. It looks like the site must have been hacked at some point. I scanned it with a tool that I found that was really good. It compared all the original files to those on the server. I discovered that there were a bunch of files that were on there that shouldn't have been there. I removed all extra unneeded components from joomla and just re-installed the ones that I needed. I then went through the site and removed 69 more files manually.

Wow! It was a lot of work, but the emails have stopped and it seems to be okay now.
 
It's nice to hear you found it that way.

If possible and not present yet, it might be a good idea to install Maldet on your server.
It's already DA compatible so the instructions about adjusting the crontab are not needed anymore.
 
You must log in or register to reply here.
Back
Top