Okbet casino online registration.Enjoy Free 888+200 Daily Legal Bonus

Resolved yokemate
(@yokemate)

4 years, 2 months ago

Recently I have started to open the user registration for my WordPress website.

I use WP Mail SMTP plugins to send out activation emails.

Firstly, I use my personal email settings as mailer for the WP Mail SMTP. After a few hours, my email account was blocked by my email provider. I found out that there were a lot of junk emails in my SENT box in the email account.

Then, I changed the Mailer to Sendinblue. Just after a couple of hours, I was advised that “The credit limit for your Sendinblue SMTP account has been reached.” by the Sendinblue. After checking the Logs, I found the Mailer was used to send all sort of junk mails:

Events Date Subject From To Tags
Sent 13-12-2020 18:02:35 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Delivered 13-12-2020 18:02:32 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Sent 13-12-2020 18:02:31 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Delivered 13-12-2020 18:01:24 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 18:01:23 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 18:01:20 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 18:01:20 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 18:00:30 Subject: You got a message “Билет сгорит завтра” [email protected] None
Sent 13-12-2020 18:00:30 Subject: You got a message “Билет сгорит завтра” [email protected] None
Delivered 13-12-2020 18:00:26 Subject: You got a message “Билет сгорит завтра” [email protected] None
Sent 13-12-2020 18:00:25 Subject: You got a message “Билет сгорит завтра” [email protected] None
Delivered 13-12-2020 17:59:10 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 17:59:10 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 17:59:06 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 17:59:05 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 17:57:56 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Sent 13-12-2020 17:57:56 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Delivered 13-12-2020 17:57:55 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Sent 13-12-2020 17:57:55 Subject: You got a message “Новейший тираж с вашим участием” [email protected] None
Delivered 13-12-2020 17:57:03 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 17:57:03 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 17:57:02 Subject: You got a message “Необходимо ваше действие” [email protected] None
Sent 13-12-2020 17:57:02 Subject: You got a message “Необходимо ваше действие” [email protected] None
Delivered 13-12-2020 17:56:56 Subject: You got a message “Завтра последний день тиража” [email protected] None
Sent 13-12-2020 17:56:56 Subject: You got a message “Завтра последний день тиража” [email protected] None

Anyone can please help?

The page I need help with: [log in to see the link]

Viewing 3 replies - 1 through 3 (of 3 total)

Plugin Author

(@capuderg)

it looks like your site might have been compromised. Our plugin only sends the emails through the mailer that you configure, but the actual emails are sent via the wp_mail function. This WordPress function is used by WP core, themes, plugins, and custom scripts.

It might be the case that your site was already sending these spam emails for a while, but you just didn’t notice, because you didn’t have any logs.

I would advise you to contact your hosting company and ask them for help with this issue. And I would also advise you to read this article, since it might have some valuable information.

Take care!

Thread Starter

yokemate

(@yokemate)

4 years, 2 months ago

Thank you for the information.

I don’t think the wp_mail is working, that’s why we use WP Mail SMTP, right?

I do have the access.log here:


74.120.14.56 - - [11/Dec/2020:23:39:04 +1100] "GET / HTTP/1.1" 403 146 "-" "-"
74.120.14.56 - - [11/Dec/2020:23:39:04 +1100] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03\x85z\xDD\xA4\x84Z\xA0\xB66\xBE9\xC1\xBBW}\xDEK\x07p\xA0\x17d\xFCxz\xF1\xBAtFG_\xF0\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
74.120.14.56 - - [11/Dec/2020:23:39:04 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
209.17.96.34 - - [12/Dec/2020:07:48:10 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; https://cloudsystemnetworks.com)"
209.17.97.66 - - [13/Dec/2020:10:58:29 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; https://cloudsystemnetworks.com)"
167.248.133.40 - - [13/Dec/2020:11:38:21 +1100] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03\xFAXs\x9A\xF3n!\xE0\x0C\xB42\xDB\xFC\x1B\x98\xD8\x03\xE1\xAD\x08\xFB\xAF\x0C\x9C\x9F\xA4\x88\xA159\xF8\xDE\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
167.248.133.40 - - [13/Dec/2020:11:38:22 +1100] "GET / HTTP/1.1" 403 146 "-" "-"
167.248.133.40 - - [13/Dec/2020:11:38:22 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
74.120.14.56 - - [13/Dec/2020:13:55:00 +1100] "GET / HTTP/1.1" 403 146 "-" "-"
74.120.14.56 - - [13/Dec/2020:13:55:01 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
74.120.14.56 - - [13/Dec/2020:13:55:02 +1100] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03Q+6\xD6\x84u\xB7\xD6z\x89U\x16\x87\xA2\x229H\x08S\xEB\x97\xB7\xD7\xCAG.\x9B\x94_\x96x\xC7\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
167.248.133.39 - - [14/Dec/2020:05:03:06 +1100] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03:\x92\xF3\xAB\x127~4\xE1\xCD\xA8Y\x01\xDB|,\xB1\xE9m\x8B\x95\xFD\xB5\xBFE\xB6\xF0\xFC\x89\x09\x10\xEC\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
167.248.133.39 - - [14/Dec/2020:05:03:07 +1100] "GET / HTTP/1.1" 403 146 "-" "-"
167.248.133.39 - - [14/Dec/2020:05:03:07 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
162.142.125.53 - - [14/Dec/2020:08:17:58 +1100] "GET / HTTP/1.1" 403 146 "-" "-"
162.142.125.53 - - [14/Dec/2020:08:17:58 +1100] "\x16\x03\x01\x00{\x01\x00\x00w\x03\x03(\xF9+\x96;.N\x8F4\xBA\xF1\xDF\xD9P]\x83[!\x89n%\xC0\xEF\xA2\xB6h\xB8 \xFE\xA0\xFD\xD5\x00\x00\x1A\xC0/\xC0+\xC0\x11\xC0\x07\xC0\x13\xC0\x09\xC0\x14\xC0" 400 150 "-" "-"
162.142.125.53 - - [14/Dec/2020:08:17:58 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; CensysInspect/1.1; +https://about.censys.io/)"
206.189.182.216 - - [14/Dec/2020:10:38:57 +1100] "GET / HTTP/1.0" 403 146 "-" "-"
209.17.96.178 - - [14/Dec/2020:14:41:04 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; https://cloudsystemnetworks.com)"
112.213.126.151 - - [14/Dec/2020:18:43:27 +1100] "GET /pma HTTP/1.1" 404 548 "https://54.79.226.8:888/pma" "Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)"
209.17.97.2 - - [15/Dec/2020:13:48:16 +1100] "GET / HTTP/1.1" 403 146 "-" "Mozilla/5.0 (compatible; Nimbostratus-Bot/v1.3.2; https://cloudsystemnetworks.com)"

Don’t know why and how they access my site, but nothing I can see if anyone is using the WP Mail SMTP to send out those emails.

If you like, I can send you the site.log which is about 160Mb. In side, most of them posts/pages viewed by visitors.

This reply was modified 4 years, 2 months ago by Yui.
This reply was modified 4 years, 2 months ago by Yui. Reason: please use CODE button for proper formatting