Find PHPMail Spam sending script - php

I have a cPanel machine hosted for my customers. One customer is being missused, sending spam via a PHP Script. If I look in to my EXIM Mail queue there is a lot of Spam getting sent.
How can I locate the Script sending those mails?
If I go into detail with one mail, the X-PHP-SCRIPT is only "domain.tld/"
Here an Example:
Date:
Tue, 12 Apr 2016 07:00:12 +0000
From:
Stacey Ruiz <stacey_ruiz#domain.tld>
To:
frogleg3354#yahoo.com
Subject:
F$ck me deeply in my m0uth
Content-Transfer-Encoding:
8bit
Content-Type:
multipart/alternative;
boundary="b1_6b6f51ba2d97b6f13cdd28de69a7fce8"
Message-ID:
<6b6f51ba2d97b6f13cdd28de69a7fce8#domain.tld>
MIME-Version:
1.0
Received:
from ctm by cpanel-1.myserver.tld with local (Exim 4.86_1)
(envelope-from <stacey_ruiz#domain.tld>)
id 1apsJ2-0000aK-Fz
for frogleg3354#yahoo.com; Tue, 12 Apr 2016 09:00:12 +0200
X-Mailer:
PHPMailer 5.2.9 (https://github.com/PHPMailer/PHPMailer/)
X-PHP-Script:
domain.tld/ for 127.0.0.1
X-Priority:
3
I obviosly replaced the domain of the customer with "domain.tld".
I changed already all the Passwords for all E-Mail Addresses, User Accounts, deleted all FTP Accounts, made a Virus Check. The customer is using the newest Update of Wordpress (Update 1 week ago). I changed the password there as well. The wordpress page was even ok! No extra user in the Database, that was not supposed to be there... How is it then possible, that a script is getting up to the server? And how can I locate it?
I tried to access the Admin Area and was missspelling the "wp-admin"... I found this:
Can anyone help me?
Cheers!
Niklas

Related

mail() function bouncing: 550-do not have sufficient privileges

I'm sending emails from a PHP contact form. My send code is as follows:
$headers = "MIME-Version: 1.0 \r\n";
$headers .= "From: website.com <noreply#website.com>
Reply-To: $form[email]";
mail($to,$subject,$message,$headers);
Although the message is being delivered, I'm also getting the following message:
Reporting-MTA: dns; xxxx.com
Received-From-MTA: DNS; localhost
Arrival-Date: Thu, 11 Dec 2014 15:17:25 -0500
Final-Recipient: RFC822; acct#myserver.com
Action: failed
Status: 5.1.1
Remote-MTA: DNS; myserver.com
Diagnostic-Code: SMTP; 550-You do not have sufficient privileges to send mail to this address. Please authenticate and try again. (in reply to RCPT TO command)
Last-Attempt-Date: Thu, 11 Dec 2014 15:17:26 -0500
My hosting company tells me it's a problem with the code. My research shows that it's because the From name isn't set in the headers, but it is in my code.
I'm using cPanel/WHM to manage the server. I have multiple accounts setup and this is the only one where this is happening despite the code being virtually identical. The only difference is that this particular client is managing his emails through a different service, so his MX records point elsewhere.
Is this a server issue or a code issue and how do I fix it?

Can anyone tell me why my mail is being classified as spam (headers included)

Here is the situation.
I have both an SMTP server which accepts only authentication.
I also have a VPS with no SMTP server, so the PHP on that VPS sends emails using PEAR to the SMTP server for sending.
For some reason emails are getting classified as Spam always.
Can someone take a look at the following headers and give me a pointer to why this might be happening?
Some stuff has been *'d out for security.
I'm new to VPS stuff so I guess I might have some dodgy config somewhere, so I need some advice on this one.
Thanks guys!
Microsoft Mail Internet Headers Version 2.0
Received: from moutng.k*****.de ([212.227.17.8]) by ***** with Microsoft SMTPSVC(6.0.3790.4675);
Sat, 12 Feb 2011 11:30:09 +0000
Received: from localhost (*****.onlinehome-server.info [*****])
by mrelayeu.k*****.de (node=mreu1) with ESMTP (Nemesis)
id 0Lm8JB-1QNpTc29Yn-00a9O2; Sat, 12 Feb 2011 12:30:09 +0100
From: Logeek <log#*****.com>
To: A King <aking#*****.co.uk>
Subject: Hi!
Message-Id: <0Lm8JB-1QNpTc29Yn-00a9O2#mrelayeu.k*****.de>
Date: Sat, 12 Feb 2011 12:30:09 +0100
X-Provags-ID: *****
Return-Path: log#*****.com
X-OriginalArrivalTime: 12 Feb 2011 11:30:09.0931 (UTC) FILETIME=[34CC45B0:01CBCAA8]
Ok I'm not really good at email headers but if an Email is sent from and address in which the domain is not equal to the domain the email was sent from for example: a message sent by admin#thispage.com from the server otherpage.com will get marked as spam: When using a SMTP server smtp.thispage.com as a local user on that server for example admin#thispage.com the message will be sent from this server and the email wil not be marked as spam. But when sending it as user admin#thispage.com from a different domain using PEAR the message will normally be marked as spam.

Mail sent "on behalf of" when using PHP Pear

I am using PEAR to send mails from our server. However, some email clients (most importantly Gmail) will say "Mail received from nobody#server on behalf of John Doe". What causes this? Is this PHP or the server config itself?
With the headers I set:
$headers["From"] = John Doe<johndoe#example.com>;
$headers["Return-path"] = John Doe<johndoe#example.com>;
$headers["Sender"] = John Doe<johndoe#example.com>;
However, when I look into the e-mail headers of the actual mail that is arrived, I see:
Return-path: <nobody#server>
Received: from nobody by server with local (Exim 4.69)
(envelope-from <nobody#server>)
id 1Thn0Y-0001yy; Tue, 25 Jan 2011 11:48:46 -0600
From: John Doe<johndoe#example.com>
Sender: Nobody <nobody#server>
Date: Tue, 25 Jan 2011 11:48:46 -0600
So except for the FROM field, all other header settings are ignored...! What to do?
What you are seeing is that the envelope headers are being generated by Exim. You will need to change the configuration, or send differently to get around this. With normal sendmail, there are a few simple commandline switches you specify, and I would imagine it is the same with Exim.

Gmail and Hotmail marked as spam

First of all, I want to thank you for your time. I'm having a hard time getting my head around this problem.
With reference to this thread we've dediced to implement PHPMailer. This however worked fine untill we've dediced to change the IP adress of the Exim deamon running on the system. Now, Hotmail and GMail both mark us as spam although we've got correct rDNS etc. We've also taken part in the Microsoft Sender ID and Junk Email Reporting program, but that still won't help us.
You can see an output of the php script running here(http://koopte.be/mailtest/test/examples/test.php).
Also, some mail headers from GMail:
Delivered-To: myemail#gmail.com
Received: by 10.227.133.10 with SMTP id d10cs153720wbt;
Sun, 17 Oct 2010 02:44:10 -0700 (PDT)
Received: by 10.227.37.8 with SMTP id v8mr3118896wbd.37.1287308647612;
Sun, 17 Oct 2010 02:44:07 -0700 (PDT)
Return-Path:
Received: from drt01.dco.fusa.be ([81.95.119.6])
by mx.google.com with ESMTP id ep1si12575868wbb.6.2010.10.17.02.44.06;
Sun, 17 Oct 2010 02:44:07 -0700 (PDT)
Received-SPF: neutral (google.com: 81.95.119.6 is neither permitted nor denied by best guess record for domain of admin#drt01.dco.fusa.be) client-ip=81.95.119.6;
Authentication-Results: mx.google.com; spf=neutral (google.com: 81.95.119.6 is neither permitted nor denied by best guess record for domain of admin#drt01.dco.fusa.be) smtp.mail=admin#drt01.dco.fusa.be
Received: from admin by drt01.dco.fusa.be with local (Exim 4.69)
(envelope-from )
id 1P7Pmg-0001qb-Gg
for myemail#gmail.com; Sun, 17 Oct 2010 11:44:06 +0200
To:
Subject: Koopte.be
X-PHP-Script: www.koopte.be/mailtest/test/examples/test_smtp_advanced_no_auth.php for 84.31.105.128
Date: Sun, 17 Oct 2010 11:44:06 +0200
From: "Koopte.be"
Reply-to: "Koopte.be"
Message-ID:
X-Priority: 3
X-Mailer: PHPMailer 5.1 (phpmailer.sourceforge.net)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_f102f7049d61084cf6a8ef51cf0e57bc"
Sender:
Our log shows the following, which seems OK to me:
2010-10-17 02:33:30 1P7HBn-0000l7-Ro => email F=<admin#drt01.dco.fusa.be> R=lookuphost T=remote_smtp S=1475 H=gmail-smtp-in.l.google.com [209.85.227.27] C="250 2.0.0 OK 1287275610 v32si21774961weq.142"
Thank you for your time!
Edit: rDNS is being fixed as we speak.
rDNS is set now, come on guys, what am I missing?
Google reports this in the headers:
Received-SPF: neutral (google.com: 81.95.119.6 is neither permitted nor denied by best guess record for domain of admin#drt01.dco.fusa.be) client-ip=81.95.119.6;
But my SPF is this:
domainname. TXT "v=spf1 a mx ip4:81.95.119.6 ~all"
You should setup an SPF record for your domain. Google is only returning neutral on your SPF check.
First, I would suggest using Swiftmailer over PHPMailer. But regardless, your issue isn't what software you are using to send your email. You should head over to http://mxtoolbox.com/ and see what it says about your email domain. You should have the correct reverse DNS setup, in addition to making sure you have a SPF record setup in your DNS.
It seems your reverse DNS is not setup correctly, at least not for koopte.be.
It is also possible that if the new IP address has been previously blacklisted by Google or Hotmail or any of the third parties they use (even before it was owned by you), the blacklist is still in effect.
In addition to mxtoolbox.com, I'd also checkout Spamhaus's lookup (http://www.spamhaus.org/lookup.lasso). Many providers use their XBL, PBL, and DBL advisories to maintain a blacklist.
You may want to look into DKMS/DomainKeys (and Microsoft/Hotmail has their own thing as well that is similar but different for Hotmail :P)
Spam issue because of following reasons
1)Shared hosting
If you are using shared hosting, PHP is not the solutions for this issue.try to contact your server providers.Some time your hosted IP treated as spam.Try to change the hosting providers, It may work fine.
2) More Links in your e-mail body
3 )Partial header(Always use reply-to,Ref Ans:TrentonMcManus)
4) Bulk E-Mailing
5) Spam Reporting(number of people who have clicked on your link as spam)
6) The message not to be too short or too long.
7) Sending From Blacklisted IP(hosting, and SMTP server) )
It may be new your IP address has been previously blacklisted by Google or Hotmail You can check Blacklisted ip or not from the site from here
8)Verifying sender IP
Sender Policy Framework (SPF) is an email validation system designed to prevent email spam by detecting email spoofing, a common vulnerability, by verifying sender IP addresses.
Perhaps PHP not solutions for this. You can do Following things in php coding
1)Always use the from/reply to address
2)Add unsubscribe link in body
3)Avoid spam keywords.
4)The message not to be too short or too long.
5)Text version is better than HTML

Possible relationship between PHP Mailer and Mailer-Daemon

I am using the PHPMailer Class from a website which sends confirmation of the user ajax upload to my client. This uses the mail.myclient.com SMTP Host. This is the same SMTP Host that my client uses for his outlook to check his emails.
This email from the website gets sent without errors although I have received two emails from my client regarding Mail delivery failed: returning message to sender for the same address I have used to send confirmation emails out from.
Can these two issues be related? Do I need to provide more info?
Thanks a bunch!
From: Mail Delivery System <Mailer-Daemon#hp13.hostpapa.com>
Date: Tue, 11 May 2010 15:01:41 +0100
To: "sales#splashoflondon.com" <sales#splashoflondon.com>
Subject: Mail delivery failed: returning message to sender
This message was created automatically by mail delivery software.
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed:
root#hp13.hostpapa.com
(ultimately generated from Mailer-Daemon#hp13.hostpapa.com)
retry timeout exceeded
------ This is a copy of the message, including all the headers. ------
Return-path: <sales#splashoflondon.com>
Received: from cpc2-dals2-0-0-cust1159.hari.cable.virginmedia.com
([82.35.76.136] helo=[192.168.2.7])
by hp13.hostpapa.com with esmtpa (Exim 4.69) (envelope-from <sales#splashoflondon.com>) id 1OBq1k-0000V5-I4 for Mailer-Daemon#hp13.hostpapa.com; Tue, 11 May 2010 15:01:40 +0100
User-Agent: Microsoft-Entourage/12.0.0.071130
Date: Tue, 11 May 2010 15:01:31 +0100
Subject: Re: Warning: message 1O9xTC-0005BR-S6 delayed 48 hours
From: sales <sales#splashoflondon.com>
To: Mail Delivery System <Mailer-Daemon#hp13.hostpapa.com>
Message-ID: <C80F21CB.19D9%sales#splashoflondon.com>
Thread-Topic: Warning: message 1O9xTC-0005BR-S6 delayed 48 hours
Thread-Index: AcrxEnUcAvjUl38nTNq1kGDCVl/LEQ==
In-Reply-To: <E1OAgvb-0004TQ-Kq#hp13.hostpapa.com>
Mime-version: 1.0
Content-type: text/plain;
charset="US-ASCII"
Content-transfer-encoding: 7bit
This is most likely harmless.
In the beginning, there was a warning E-Mail about a delayed transmission (probably one of the E-Mails your client sends out). A mail server could not be reached for 48 hours, maybe because it was down. (That is not an "undeliverable" report - the mail server will still try to send the mail out. If you hear nothing further, the message was eventually received.)
This warning was sent to root#hp13.hostpapa.com (for whatever reason I don't know, you'd have to check the outgoing E-Mails for that address. Do you have a specific errors-to header specified?)
The root address however, doesn't exist or doesn't accept mails, so an error message gets dispatched to the original sender.
It doesn't make 100% sense because it's not clear why root#hp13.hostpapa.com was contacted in the first place - maybe because hp13.hostpapa.com is the outgoing mailserver. As I said, try adding a errors-to: xyz#xyz.com and watch where such notifications end up in the future.
Anyway, the root of the cause looks harmless: It can happen (although it should be rare) that a recipient's mail server is down for 48 hours.

Categories