“Unlock email requested” bypassing SMTP settings?

  • Resolved arcstone

    (@arcstone)


    1 year, 7 months ago

    I use WP-Mail SMTP to relay all email through our SMTP.com account. It forces any phpmail to send through smtp.com instead. All Wordfence emails work as intended, except one – the “Unlock email requested”. That email never shows up in logs, even though it is received – AND it’s sending from a spoofed email “wordpress@<myclientsite.com>” which doesnt exist anywhere.

    How is that particle email send process different? Why is it bypassing normal WordPress email processes? They all getting blocked/spammed because of the spoofed address in the header.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support wfpeter

    (@wfpeter)

    Hi @arcstone, thanks for getting in touch.

    This looks the same as an issue we looked into with WP Mail SMTP plugin a couple of years ago, which has a little more technical information.

    In a nutshell, we send lockout emails (in particular) very early in the site loading process compared to the other emails that are being logged. We can’t change this as Wordfence needs to block visitors that could cause a security issue without allowing more code from WordPress and other plugins to run.

    I’m not sure if the other customer tried to contact the WP Mail SMTP developers to see whether they were able to set their hooks any earlier, but it could be worth a try.

    Thanks,
    Peter.

    Thread Starter arcstone

    (@arcstone)

    Thanks for the reply and background. Is there any way to customize that particular email in Wordfence? It’s sending with a spoofed email “wordpress@<customerdomain.com>”. That doesn’t exist, and is nowhere to be found in the WP database.

    Plugin Support wfpeter

    (@wfpeter)

    Hi @arcstone,

    Our mailings will send from wordpress @ domain . com, which is the default in WordPress and cannot be reconfigured through Wordfence.

    The best way we know to change the “From” address is by adding a mu-plugin, by creating a file at?wp-content/mu-plugins?with contents like:

    <?php add_filter('wp_mail_from', function() { return '[email protected]'; } );

    The filename isn’t important, but I’d use something like?wp_mail_from.php, since it makes the purpose of the file clear. It will still go through your host’s mail server for any mail sent before the SMTP plugin is ready, but if it’s an address that the host allows, that may be a good solution for you.

    Thanks again,
    Peter.

    Thread Starter arcstone

    (@arcstone)

    Thanks for the tip, that’ll definitely help.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘“Unlock email requested” bypassing SMTP settings?’ is closed to new replies.