Welcome to Geeklog Sunday, November 28 2021 @ 12:38 am EST

Geeklog Forums

Continuing saga of outgoing spam


Status: offline

ronack

Forum User
Full Member
Registered: 27/05/03
Posts: 612
It happened again, this time I received over 1000 returned emails. I'm going to have to shut down my sites until I can figure out how they're using GL to send out all this spam thru one of my sites.

Suggestions??
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 12/01/02
Posts: 13073
Location:Stuttgart, Germany
So did you check that those emails really came from your server? It's easy to fake the return address, in which case you would get the bounces even though the emails were sent from somewhere else.

If emails are sent through Geeklog, they will go through COM_mail, where you could add a line to log the subject, recipient, etc. You could also borrow the small piece of code to add an X-Originating-IP header to your emails from 1.5.0 to track the original IP address.

Well, and there are lots of other ways to send spam due to uploaded scripts, exploits in add-ons or other 3rd party software installed on your server ...

bye, Dirk
 Quote

Status: offline

ronack

Forum User
Full Member
Registered: 27/05/03
Posts: 612
Ok I'd like to put in the code to log the emails. Tell me how to do that. I would love to rule out GL but frankly it's about all I run.

The email header on the returned emails doesn't reveal squat.
PHP Formatted Code

" alt src="http://voxcards.ig.com.br/imagens/email/box_top_email.gif" width="522" height="83"><br style="font-family: Verdana">    </small><br> <div style="text-align: center">      <div style="text-align: left">        <small><span style="font-family: Verdana">Esta ? uma mensagem autom?tica. Por favor, n?o responda!<br>        Ol? voc? est? recebendo um cart?o virtual VOXCARDS remetido por:<br> </span></small><ul>          <li><small style="font-weight:
 

About all I know is that it's someone from Brazil.

None of the logs are revealing very much. I may go ahead and change the email address. That way if they are just putting in my address isdscsiteadmin@blah blah.com for reply's then I shouldn't get anymore. But I don't think that's what's going on.


Also this is on a brand new server thank God for backups.



 Quote

Status: offline

ronack

Forum User
Full Member
Registered: 27/05/03
Posts: 612
Had another 366 returned emails today but I think I may have tracked it down. I'll know in a week since they seem to only do it on Sundays. I changed the email on the site just to see what happens.. I know which site and I know where their from. And the problem may be in a Plugin vs the core GL.
 Quote

All times are EST. The time is now 12:38 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content