Ticket #656 (closed maintenance: fixed)

Opened 3 years ago

Last modified 3 years ago

Spam being sent out via Transition Culture

Reported by: chris Owned by: chris
Priority: major Milestone: Maintenance
Component: Parrot server Keywords:
Cc: ed, aland Estimated Number of Hours: 0.0
Add Hours to Ticket: 0 Billable?: yes
Total Hours: 0

Description

I'm getting several of thee day day:

From: Mail Delivery System <Mailer-Daemon@parrot.webarch.net>                                        
Date: Sat, 14 Dec 2013 13:21:02 +0000                                                                        
To: tc@parrot.webarch.net                                                                                                                    
Subject: Mail delivery failed: returning message to sender                                                                                   
                                                                                                                                             
This message was created automatically by mail delivery software.                                                                            
                                                                                                                                             
A message that you sent could not be delivered to one or more of its                                                                         
recipients. This is a permanent error. The following address(es) failed:                                                                     
                                                                                                                                             
  inxzkysnf@gmail.com                                                                                                                        
    SMTP error from remote mail server after RCPT TO:<inxzkysnf@gmail.com>:                                                                  
    host gmail-smtp-in.l.google.com [173.194.78.26]:                                                                                         
    550-5.1.1 The email account that you tried to reach does not exist. Please try                                                           
    550-5.1.1 double-checking the recipient's email address for typos or                                                                     
    550-5.1.1 unnecessary spaces. Learn more at                                                                                              
    550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 l11si2175565wjw.16 - gsmtp                                            
                                                                                                                                             
------ This is a copy of the message, including all the headers. ------                                                                      
                                                                                                                                             
Return-path: <tc@parrot.webarch.net>                                                                                                         
Received: from tc (uid=1011)                                                                                                                 
        by parrot.webarch.net with local (Exim 4.80)                                                                                         
        (envelope-from <tc@parrot.webarch.net>)                                                                                              
        id 1Vrp9L-0002BF-Kf                                                                                                                  
        for inxzkysnf@gmail.com; Sat, 14 Dec 2013 13:20:56 +0000                                                                             
To: inxzkysnf@gmail.com                                                                                                                      
Subject: Thanks for your message                                                                                                             
X-PHP-Originating-Script: 1011:lib_nonajax.php                                                                                               
From: robjhopkins@gmail.com                                                                                                                  
Reply-To: robjhopkins@gmail.com                                                                                                              
MIME-Version: 1.0                                                                                                                            
Content-Type: multipart/alternative; boundary="----MIME_BOUNDRY_main_message"                                                                
Message-Id: <E1Vrp9L-0002BF-Kf@parrot.webarch.net>                                                                                           
Date: Sat, 14 Dec 2013 13:20:55 +0000                                                                                                        
                                                                                                                                             
This is a multi-part message in MIME format.                                                                                                 
------MIME_BOUNDRY_main_message                                                                                                              
Content-Type: text/plain; charset="UTF-8"; format=flowed                                                                                     
Content-Transfer-Encoding: quoted-printable                                                                                                  
                                                                                                                                             
Dear timberland france,                                                                                                                      
Thank you for your message on the Transition Culture website - I will get back to you as soon as possible.                                   
------MIME_BOUNDRY_main_message                                                                                                              
Content-Type: text/html; charset="UTF-8"                                                                                                     
Content-Transfer-Encoding: quoted-printable                                                                                                  
                                                                                                                                             
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">                                                                               
<HTML><BODY>                                                                                                                                 
<div style=3D"font:normal 1em arial; margin-top:10px"><p><strong>Dear timberland france,</strong></p>                                        
<p>Thank you for your message on the Transition Culture website - I will get back to you as soon as possible.                                
<div style=3D"width:80%; background:#f4faff ; color:#aaa; font-size:11px; padding:10px; margin-top:20px"><strong>This is an automatic        
+confirmation message. 14 December, 2013.</strong></div></div></BODY></HTML>                             

It appears to be spam sent fro the Transition Culture WordPress site to a Gnmail user who doesn't exist.

It appears, from the email headers that this form is being used for the spamming /home/tc/sites/default/wp-content/plugins/contactforms/lib_nonajax.php.

This needs some more investigation.

Change History

comment:1 Changed 3 years ago by chris

  • Summary changed from Spam being sent out vi Transition Culture to Spam being sent out via Transition Culture

comment:2 Changed 3 years ago by sam

Hi Chris

I'd stick http://wordpress.org/plugins/wordfence/ on the site & see if it detects any malware.

Shall I do this?

Thanks

Sam

comment:3 Changed 3 years ago by chris

Sure, this is an ongoing issue, I get several bounced spam emails a day from the TC site, I have been leaving things like this on the back-burner in part to save the Transition Network money and in part because I'm not a WordPress expert, I'm happy for you to take a lead on WordPress issues.

comment:4 Changed 3 years ago by sam

Hi Chris.

Not sure i'm a Wordpress expert either. I have been using it for a few years on various projects. I'm happy to take this on.

Let's continue the conversation here: /trac/ticket/699 where i'll document what I do.

Thanks

Sam

comment:5 Changed 3 years ago by sam

So I exported the content as a .xml file just in case the backup plugin broke things.

I then installed https://wordpress.org/plugins/backwpup/ & I'm currently backing up the database & filesystem to Dropbox.

I'll then install Wordfence and see if there is any warnings/malware.

Once that's done I'll update the plugins, then core.

Then test it's all still working.

Version 0, edited 3 years ago by sam (next)

comment:6 Changed 3 years ago by chris

  • Status changed from new to closed
  • Resolution set to fixed

This appears to be now resolved.

Note: See TracTickets for help on using tickets.