Trying to understand why my server was spamming

Discussion in 'Server Operation' started by Nate82, Mar 3, 2014.

  1. Nate82

    Nate82 New Member

    My Wordpress website rockitpro (dot) com is on my Plesk dedicated server & only sends mail (using postfix) when a user registers (sends 1 email to the user and 1 to me) and when a user purchases a digital product (the download link is sent to their email), that's it.

    I got a bounced email from Hotmail 2 days ago which led me to check my domain/ip and I found that my domain is on 20+ blacklists :mad: I manically searched Google because this stuff is over my head and found this gem mailq|grep ^[A-F0-9]|cut -c 42-80|sort |uniq -c|sort -n|tail which shows me where most of the emails come from.

    The weird thing is, like 20 of the thousands of emails were coming from a domain I created years ago on my server just to put my test website on, the site is blocked by robots & never linked out. The other 100,000+ mails were coming from [email protected] which is my server.

    I cleared the postfix mail queue but they kept piling up by the second and only stopped when I deleted my test website domain. So I'm thinking the test site domain on my server might have gotten hacked or something?

    My IP/domain is not a relay, already checked that, I turned on Spamassassin, turned on DomainKeys spam protection, and switched on SPF spam protection.

    An example header from one of the mails is:

    Apache [email protected]
    "MaddenCraftcmqce" <[email protected]>,"nmacdonald 478" <[email protected]>,"oneineagle" <[email protected]>NSubject:Trans Jet AirwaysN(X-PHP-Originating-Script: 50versia.php
    MIME-Version: 1.0
    -Content-type: text/plain; charset=iso-8859-1
    From: Gia Deere <[email protected]>
    (Reply-To: Gia Deere <[email protected]>
    Subject: Trans Jet Airways
    X-Mailer: PHP/5.3.3NEMessage-Id: <[email protected]>N+Date: Mon, 3 Mar 2014 11:42:18 -0500 (EST)p

    I noticed the User ID was always 504 which I don't remember creating a user "504" or whatever, and the originating php script was 504:versia.php or 504:mspcomt.php.

    Any tips so this doesn't happen again? Like I said I activated spamassassin, turned on the Plesk antivirus, and tightened up mail server settings. I'm also fixing all the warnings mxtoolbox throws. I have Fal2Ban but not sure that'll work with an issue like this. Maybe install mod_security?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    To secre your apache server, use mod_security. To limit the number of messages for an account, you can use software like policyd.
  3. Nate82

    Nate82 New Member

    Thanks. I've been reading about mod_security and how it can sometimes conflict with Wordpress so I don't think I'll install that. I'll look more into seems to be perfect for what I need.

    For the time being I added this to my in etc/postfix...just need to adjust the timings. All this look ok?

    # HELO restrictions:
    smtpd_delay_reject = yes
    smtpd_helo_required = yes
    smtpd_helo_restrictions =

    # Sender restrictions:
    smtpd_sender_restrictions =

    # Recipient restrictions:
    smtpd_recipient_restrictions =
    check_policy_service unix:postgrey/socket,

    # Limit Connections
    smtpd_client_recipient_rate_limit = 50
    smtpd_client_connection_rate_limit = 10
    smtpd_client_message_rate_limit = 25
    default_extra_recipient_limit = 50
    duplicate_filter_limit = 50
    default_destination_recipient_limit = 50

    smtpd_error_sleep_time = 1s
    smtpd_soft_error_limit = 10
    smtpd_hard_error_limit = 20
  4. peterdavidson99

    peterdavidson99 New Member

    Wordpress platform is prone to spam and hack, so it is important to implement proper security measures on your server. You can take the help of monitoring service such as Distil ( or ScrapeSentry ( in order to monitor your website’s traffic. These services distinguish well between a human visitor and a malicious bot. Chances of spam will reduce if humans are allowed access and spammy bots are stopped.
  5. Ovidiu

    Ovidiu Active Member

    taken from your info above: X-PHP-Originating-Script: 50versia.php

    Can you have a look on your server for that script? => 50versia.php

    Let me know when you found it and where it is located. As a first measure, delete it.

Share This Page