Contacto +52(442)298-0967 msn@swideascom

Get rid of ‘wordpressslog@yandex.com’ flooding your SMTP relay

Get rid of ‘wordpressslog@yandex.com’ flooding your SMTP relay

The problem

yToe9oKGcAfter installing a let’s call it “test-purposes-only” version of Social Stream plugin for wordpress (really nice, check it out), we find out at SMTP log what somewhere / something / somehow it’s caling home each minute, server relay limit was reached the first hour and clients sending hate messages (not from their usual mail accounts as might be expected), quick action  needed.

Detect the problem is the easy part, all email relay attempt will produce an SMTP error and return to sender with a subject like “Mail delivery failed: returning message to sender”, inside email we should search for error code:

The Solution

We have our guilty (wordpressslog@yandex.com), to find this you can access your WHM and the  go to Email > Mail Delivery Reports (http://grab.by/xwzQ) and filter by the las 24 hrs., you should find lots of actovity to that account (http://grab.by/xwzU). So find where is the issue is next, use Exploit Scanner wp-plugin to find suspicious code blocks in your site (yes, this could take a while), then search for the decoded base64 (bitches love base64 to hede their ass) from that email account, using a service like http://www.base64encode.org/ now we search for the encoded value d29yZHByZXNzc2xvZ0B5YW5kZXguY29t in our Exploit Scanner results (Ctrl+F should do the job)

So, our target is in: /wp-content/plugins/wordpress-social-steam/inc/dcwp_langs.php, that file really shouldn’t be there, so for be shure lets just clean all inside, leaving only this:

And thats all! Maybe if you want to reset your daily relay limit should contact your hosting provider

pacman-01You should go back to WHM SMTP log, search again for the guilty account and no further messages should be sent from our server. At least, this works for my case, if you have any questions, please feel free to ask.

CEO SWFideas pro·gram·mer (n) An organism capable of converting caffeine into code. *RichMedia Developer | *Homodevelopus

0 Comments

Leave a reply