Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Need help to solve the "Abuse Complaint"
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Need help to solve the "Abuse Complaint"

I am running one site with Worpdress, but it seems that it can't get avoid of "Spam complaint". I have used Ramnode for some time and it shut down my server for this reason for several times ( I am not complaining). And this time, URPad tell me about this kind of Complaint again.

My Wordpress and plugins had been updated to the latest version.
I have just changed my admin password AGAIN
I have browsed my template so that there is no backdoor code.

What else can I do? Need suggestions...

We have received the following spam complaint originating from your VPS. Please resolve this issue as soon as possible.

[ SpamCop V4.8.1.007 ]
This message is brief for your comfort. Please use links below for details.

Email from My-ip / Fri, 28 Mar 2014 10:20:12 +0200
http://www.spamcop.net/w3m?i=z6105225295z99ec1371d974b6f1fe0bb7cc87460d9cz
My-ip is open proxy, see: http://www.spamcop.net/mky-proxies.html

[ Offending message ]
Return-Path: 
Received: from b.mx.colocall.net (b.mx.colocall.net [62.149.2.57])
by colocall.net with ESMTP id s2S8KZJO086543
for ; Fri, 28 Mar 2014 10:20:35 +0200 (EET)
(envelope-from [email protected])
Received: from as8.telkomsa.net (as.telkomsa.net [196.25.211.37])
by b.mx.colocall.net with ESMTP id s2S8KFxJ023870
for ; Fri, 28 Mar 2014 10:20:34 +0200 (EET)
(envelope-from [email protected])
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.98.1 at mars.colocall.net
X-SPAM-Check-IP: 196.25.211.37
X-SPAM-Filters: 
Received: from unknown (HELO hercules.telkomsa.net) ([192.168.111.126])
by as8.telkomsa.net with ESMTP; 28 Mar 2014 09:58:47 +0200
Received: from localhost (localhost [127.0.0.1])
by hercules.telkomsa.net (Postfix) with ESMTP id 33F565F800A
for ; Fri, 28 Mar 2014 10:20:13 +0200 (SAST)
X-Virus-Scanned: amavisd-new at hercules.telkomsa.net
Received: from hercules.telkomsa.net ([127.0.0.1])
by localhost (hercules.telkomsa.net [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id Xf18q9-UWHlG for ;
Fri, 28 Mar 2014 10:20:13 +0200 (SAST)
Received: from telkomsa.net (unknown [My-ip])
by hercules.telkomsa.net (Postfix) with ESMTPA id 723715F8023
for ; Fri, 28 Mar 2014 10:20:12 +0200 (SAST)
Date: Fri, 28 Mar 2014 8:20:09 +0000
From: "=?windows-1251?Q?=C5=E2=F3=F1=FF_=D0=FE=EC=EE=E2=E0?=" 
Organization: alurhiizvn
X-Priority: 3 (Normal)
Message-ID: <[email protected]>
To: x
Subject: =?windows-1251?Q?__=C7=E0=EA=EE=ED=EE=E4=E0=F2=E5=EB=FC=ED=FB=E5-=F2=F0=E5=E1=EE=E2=E0=EE=ED=E8=FF=2C=EF=EE=EA=F3=F3=EF=E0=F2=E5=EB=FF=2C=2C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=windows-1251
Content-Transfer-Encoding: 8bit
X-Verify-Sender: Address has been verified (b.mx.colocall.net)
X-Content-Filter: b.mx.colocall.net: passed

http://besorgs-deiner-mudda.de/vw/r2.php

-----------------------
Jason Kaminsky
Director of Systems Administration

Comments

  • Your VPS has a vulnerable PHP mailer.

  • Review outgoing mail logs, most of the time you can find which folder the script is on, then review your files. Moving infected files to other hosts will only trigger the same issue.

  • btw, is there any automatic way to discover a PHP mailer on vps ?

  • @arieonline said:
    btw, is there any automatic way to discover a PHP mailer on vps ?

    Try Linux Malware Detect

    Thanked by 1tszilassi
  • HC_RoHC_Ro Member
    edited March 2014

    Best thing to do is backup the WP database and just reinstall everything. Reinstall any plugins/update that are absolutely needed and dont install ones less commonly used by you. Always make sure WP is up to date.

  • mikhomikho Member, Host Rep

    It could also be the that your local mailserver allows delivery without authentication from remote ips.

  • Get rid of the spamcop link @VMVPS

    Also, does your WP install send as tino@ ?

  • VMVPSVMVPS Member

    Thanks @Rallias @ DalComp

    I have checked my log and found alot of request from Russian... I just deleted my script and will check it later.

    @HC_Ro Yes I will follow this steps AGAIN. so sad...

  • HC_RoHC_Ro Member

    VMVPS said: Yes I will follow this steps AGAIN. so sad...

    I recommend https://infinitewp.com/ to keep up to date on updates etc.

  • AlexanderMAlexanderM Member, Top Host, Host Rep

    You're not supposed to shared SpamCop reports...

    Alexander

  • AlexanderM said: You're not supposed to shared SpamCop reports...

    There's nothing saying you can't.

  • AlexanderMAlexanderM Member, Top Host, Host Rep

    @Rallias said:
    There's nothing saying you can't.

    A company I talk to got a really hard time from spamcop, because they were forwarding the reports to the end user, never mind a public forum.

    Alexander

  • AlexanderM said: A company I talk to got a really hard time from spamcop, because they were forwarding the reports to the end user, never mind a public forum.

    They sent an email. They have no reasonable expectation of privacy.

  • lewekleoneklewekleonek Member
    edited March 2014

    Do you even need MTA on your VPS? If not then shut it down and disable it, be it exim4, postfix.
    If you really need your WordPress to send e-mails look here http://wordpress.org/plugins/configure-smtp/ This way you would be able to use Gmail, Mailgun or any other SMTP service to relay WordPress e-mails for you.

    Also, that should go without saying - secure your VPS. Operating system first and then your web server/PHP/database components. Make sure you run recent versions of the software to avoid known vulnerabilities.
    I would recommend to install http://wordpress.org/plugins/sucuri-scanner/ and scan your installation with it. It's free.

Sign In or Register to comment.