Solved Domain is sending out spam email from default account email

[xerox]

Hello,

I discovered that one of my directadmin account which have wordpress installed is sending out email from default email address e.g. [email protected].

The email is going to [email protected].

How to track where it is sending out and how and finally how to stop the spam?

Any ideas?

 

[Zhenyapan]

check exim logs, or /etc/virtual/usage/neededdomain

 

[xerox]

Hm, all I see is this (domain modified as random.com):

451=type=email&[email protected]&method=outgoing&id=1n02hZ-0007WY-6c&authenticated_id=randomcom&sender_host_address=&log_time=1640183685&message_size=451&local_part=sunsmasler&domain=gmail.com&path=/home/randomcom/domains/random.com/public_html/wp-admin
143=type=email&email=&method=outgoing&id=1n02ha-0007Wf-IS&authenticated_id=randomcom&sender_host_address=&log_time=1640183686&message_size=143&local_part=sunsmasler&domain=gmail.com&path=/home/randomcom/domains/random.com/public_html/wp-admin

 

[Richard G]

Seems passwords are compromised. I would change both DA and wp-admin passwords.

 

[gate2vn]

With WordPress, I see many websites are outdated, and use unsecured forms. Outdated WP core + plugins + themes can be exploited. These unsecured forms can be exploited for sending spams. Then in case that these WordPress websites use default mail() function, you will see outgoing emails from default email account (DA username).

DA has some tools such as BlockCracking and EasySpamFighter, have you tried them? Or use other paid solutions such as SpamExperts or MailChannels.

 

[Zhenyapan]

chattr +i = best protection!
but a lot of our users with old websites still using this method

 

[xerox]

With WordPress, I see many websites are outdated, and use unsecured forms. Outdated WP core + plugins + themes can be exploited. These unsecured forms can be exploited for sending spams. Then in case that these WordPress websites use default mail() function, you will see outgoing emails from default email account (DA username).

DA has some tools such as BlockCracking and EasySpamFighter, have you tried them? Or use other paid solutions such as SpamExperts or MailChannels.

Found a way to recognize where it comes from.

Taked a look into directadmin users dashboard -> Email usage.
There was wordpress plugin which was executed from php file, port 4881.

Also I changed both passwords and closed that port.

Thanks!

 

[Active8]

executed from php file, port 4881.

Don't you have some kind of firewall ? if you had used CSF (shipped with DA) this port was blocked at default

 

[xerox]

Yes, CSF + modsecurity. Occasionally it was open. Thanks.