Website sending out spam emails

Discussion regarding Joomla! 3.x security issues.

Moderators: Bernard T, mandville, fcoulter, PhilD, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Locked
poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Website sending out spam emails

Post by poujman » Mon Feb 02, 2015 2:12 am

Hi everyone,
Recently we are getting return emails being sent to our email (average 75-100/day) and once we called our hosting company they told us that script is in our main folder (not so much help there). I was wondering is there any tool or way we can find out where the scrip is and how to stop it?
thank you all in advanced for your help!

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4613
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Website sending out spam emails

Post by AMurray » Mon Feb 02, 2015 2:58 am

Are these return emails of the "message could not be delivered" type?

You would need to determine, if it's a script buried somewhere in a Joomla folder or if it might be an extension that would otherwise routinely send legitimate email that has been exploited and used to send spam.

What extension(s) do you use for User Registration or contact form (or any other)?

Such extensions could be protected using CAPTCHA plugins, to a certain degree, from spammers. They would seem to be an effective method in the fight against spam-bots although I suppose that's a matter of opinion these days.

Some other ideas, (if you don't already have them in place)

1) Install Akeeba Tools - may have some way of preventing spamming - blocking IP's etc.

2) Sign up to myjoomla.com and run routine scans of your website; this service detects activity on your site that may be malicious/suspicious, as well as other problems. It is a paid service (around $5USD / month).

3) You should also have security tools available in your hosting control panel e.g. CloudFlare in cPanel hosting (Linux) which monitors / prevents a range of common security problems.

4) You may also find firewall, anti-spam or other security extensions on the JED that might assist such as those below

http://extensions.joomla.org/category/a ... e-security
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36913
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website sending out spam emails

Post by Webdongle » Mon Feb 02, 2015 3:33 am

http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

Janekk
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Mon Feb 02, 2015 7:19 am

Re: Website sending out spam emails

Post by Janekk » Mon Feb 02, 2015 7:57 am

1) Install Akeeba Tools - may have some way of preventing spamming - blocking IP's etc.

AMurray,
I'm sorry could you please provide more detailed information about it? Thanks beforehand.

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Mon Feb 02, 2015 12:25 pm

First and foremost thank you AMurray and Webdongle for your helps! I will take the a look at those informations and provide further information.

AMurray. yes they are "Mail delivery failed: returning message to sender"
i will try the rest of suggested ideas and let you know how it goes.

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 36913
Joined: Sat Apr 05, 2008 9:58 pm

Re: Website sending out spam emails

Post by Webdongle » Mon Feb 02, 2015 2:58 pm

what is the url ?
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"The definition of insanity is doing the same thing over and over again, but expecting different results": Albert Einstein
Member of the CMS Release Team

User avatar
Slackervaara
Joomla! Guru
Joomla! Guru
Posts: 987
Joined: Sat Aug 13, 2011 6:27 am

Re: Website sending out spam emails

Post by Slackervaara » Mon Feb 02, 2015 8:42 pm

Have you looked in /tmp and /images folder for php programs that should not be there?

bliss-hostingco
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Sep 14, 2014 12:47 pm

Re: Website sending out spam emails

Post by bliss-hostingco » Mon Feb 02, 2015 8:47 pm

hey .....
my site also sending me spam email ???
What can i do for it???

User avatar
Slackervaara
Joomla! Guru
Joomla! Guru
Posts: 987
Joined: Sat Aug 13, 2011 6:27 am

Re: Website sending out spam emails

Post by Slackervaara » Mon Feb 02, 2015 8:50 pm

A good thing could be to use JHackGuard, because with it you can disable uploading of files with exception of superusers.

User avatar
AMurray
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4613
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: Website sending out spam emails

Post by AMurray » Mon Feb 02, 2015 9:33 pm

Janekk wrote:1) Install Akeeba Tools - may have some way of preventing spamming - blocking IP's etc.

AMurray,
I'm sorry could you please provide more detailed information about it? Thanks beforehand.
Try here,

https://www.akeebabackup.com/products/admin-tools.html

Actually the IP blocking is for the Pro version only - subscription based (€40 / year).

There might be other security tools that do something similar, free of charge.
Regards,
--------------------------------------------------------------
A Murray
Millennium Falcon - it's the ship that made the Kessel run in less than 12 parsecs! The fastest hunk of junk in the galaxy.

User avatar
Slackervaara
Joomla! Guru
Joomla! Guru
Posts: 987
Joined: Sat Aug 13, 2011 6:27 am

Re: Website sending out spam emails

Post by Slackervaara » Mon Feb 02, 2015 9:45 pm

Now I know exactly what you can do. Look in the return mails, because at the end of the return mail you can get the ip-adress of the sender of the mails.

When you know the ip-address of the sender. Check in the access logs for that period of time and for that ip-adress. You will then know which program he has used and check if it something he has uploaded and remove it then. Search then for the program name in access logs and try to figure out how he uploaded it to your site.

If you dont find any ip-adress you could from return mail figure out what time it was sent - check acess logs for that time.

TechnikPC
Joomla! Fledgling
Joomla! Fledgling
Posts: 1
Joined: Thu Dec 05, 2013 3:00 am

Re: Website sending out spam emails

Post by TechnikPC » Mon Feb 02, 2015 11:17 pm

I was having the same issue a couple months back on my sites that used com_contacts. I changed my Global Config>Site>Default Captcha to ReCaptcha and it seemed to have stopped the issue. Just make sure the plugin is enabled.

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Wed Feb 04, 2015 2:19 am

Webdongle wrote:what is the url ?
i will private message you the address. Thank you.
actually for some reason I can't for some odd reason but it would be www.ottawaprints.ca
Last edited by poujman on Wed Feb 04, 2015 2:25 am, edited 1 time in total.

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Wed Feb 04, 2015 2:23 am

Slackervaara wrote:Have you looked in /tmp and /images folder for php programs that should not be there?
i just did..nothing unusual was there!

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Wed Feb 04, 2015 2:31 am

I want to thank everyone for their contribution to this issues! I will do my best to keep everyone posted on different results.

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Sun Feb 08, 2015 11:20 pm

just an update...i removed the folder and uploaded new fresh files into a new folder but it still doing it.. any new ideas?

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website sending out spam emails

Post by mandville » Sun Feb 08, 2015 11:42 pm

to sum up and help us more. can you run and post the fpa output as requested http://forum.joomla.org/viewtopic.php?f=621&t=582860
can you post an extract from the emails, ideally the header and the message subject/content
you host should be able to spot the "owner" of the email generation eg the script
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Sun Feb 08, 2015 11:58 pm

Forum Post Assistant (v1.2.4) : 8th February 2015 wrote:
Basic Environment :: wrote:Joomla! Instance :: Joomla! 3.3.6-Stable (Ember) 01-October-2014
Joomla! Platform :: Joomla Platform 13.1.0-Stable (Curiosity) 24-Apr-2013
Joomla! Configured :: Yes | Writable (644) | Owner: houseo75 (uid: 1/gid: 1) | Group: houseo75 (gid: 1) | Valid For: 3.3
Configuration Options :: Offline: 1 | SEF: 0 | SEF Suffix: 0 | SEF ReWrite: 1 | .htaccess/web.config: No (ReWrite Enabled but no .htaccess?) | GZip: 0 | Cache: 0 | FTP Layer: 0 | SSL: 0 | Error Reporting: default | Site Debug: 0 | Language Debug: 0 | Default Access: 1 | Unicode Slugs: 0 | Database Credentials Present: Yes

Host Configuration :: OS: Linux | OS Version: 2.6.32-431.23.3.el6.bl1.1.13_1.x86_64 | Technology: x86_64 | Web Server: Apache | Encoding: gzip, deflate | Doc Root: /home/houseo75/public_html/ottawaprints | System TMP Writable: Yes

PHP Configuration :: Version: 5.4.36 | PHP API: cgi-fcgi | Session Path Writable: Yes | Display Errors: 1 | Error Reporting: 22519 | Log Errors To: /dev/null | Last Known Error: 03rd September 2014 16:27:58. | Register Globals: | Magic Quotes: | Safe Mode: | Open Base: | Uploads: 1 | Max. Upload Size: 128M | Max. POST Size: 128M | Max. Input Time: 60 | Max. Execution Time: 30 | Memory Limit: 512M

MySQL Configuration :: Version: 5.6.17-log (Client:mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | Host: --protected-- (--protected--) | Collation: latin1_swedish_ci (Character Set: latin1) | Database Size: 167.34 MiB | #of Tables:  198
Detailed Environment :: wrote:PHP Extensions :: Core (5.4.36) | date (5.4.36) | ereg () | libxml () | openssl () | pcre () | sqlite3 (0.7) | zlib (2.0) | bcmath () | bz2 () | calendar () | ctype () | curl () | dom (20031129) | hash (1.0) | filter (0.11.0) | ftp () | gd () | gettext () | SPL (0.2) | iconv () | session () | intl (1.1.0) | json (1.2.1) | mbstring () | mcrypt () | standard (5.4.36) | mysqlnd (mysqlnd 5.0.10 - 20111026 - $Id: c85105d7c6f7d70d609bb4c000257868a40840ab $) | mysqli (0.1) | mysql (1.0) | PDO (1.0.4dev) | pdo_mysql (1.0.2) | pdo_pgsql (1.0.2) | pdo_sqlite (1.0.1) | pgsql () | Phar (2.0.1) | posix () | pspell () | Reflection ($Id: f6367cdb4e3f392af4a6d441a6641de87c2e50c4 $) | imap () | SimpleXML (0.1) | soap () | sockets () | SQLite (2.0-dev) | exif (1.4 $Id: 637ebf9289b40d157fdf8edcdddeb3d907b28d9b $) | tidy (2.0) | tokenizer (0.1) | xml () | xmlreader (0.1) | xmlrpc (0.51) | xmlwriter (0.1) | xsl (0.1) | zip (1.11.0) | cgi-fcgi () | htscanner (1.0.1) | mhash () | ionCube Loader () | Zend Guard Loader () | Zend Engine (2.4.0) |
Potential Missing Extensions :: suhosin |

Switch User Environment (Experimental) :: PHP CGI: Yes | Server SU: Yes | PHP SU: Yes | Custom SU (LiteSpeed/Cloud/Grid): Yes
Potential Ownership Issues: No
Folder Permissions :: wrote:Core Folders :: images/ (755) | components/ (755) | modules/ (755) | plugins/ (755) | language/ (755) | templates/ (755) | cache/ (755) | logs/ (755) | tmp/ (755) | administrator/components/ (755) | administrator/modules/ (755) | administrator/language/ (755) | administrator/templates/ (755) |

Elevated Permissions (First 10) ::
Extensions Discovered :: wrote:Components :: SITE :: com_wrapper (3.0.0) | com_mailto (3.0.0) |
Components :: ADMIN :: com_media (3.0.0) | com_messages (3.0.0) | JXTC (1.3.1) | com_jxtcpowertabs (1.1.12) | com_categories (3.0.0) | com_content (3.0.0) | com_users (3.0.0) | com_banners (3.0.0) | mod_k2_comments (-) | mod_k2_comments (-) | COM_K2 (2.6.9) | K2 (2.5.7) | com_admin (3.0.0) | com_login (3.0.0) | com_cache (3.0.0) | com_jxtcappbook (1.4.2) | com_modules (3.0.0) | com_cpanel (3.0.0) | com_plugins (3.0.0) | com_ajax (3.2.0) | com_languages (3.0.0) | com_contenthistory (3.2.0) | com_redirect (3.0.0) | com_postinstall (3.2.0) | com_search (3.0.0) | com_menus (3.0.0) | com_config (3.0.0) | com_installer (3.0.0) | com_weblinks (3.0.0) | com_tags (3.1.0) | com_joomlaupdate (3.0.0) | com_checkin (3.0.0) | com_finder (3.0.0) | com_newsfeeds (3.0.0) | com_templates (3.0.0) |

Modules :: SITE :: mod_wrapper (3.0.0) | mod_weblinks (3.0.0) | mod_footer (3.0.0) | mod_stats (3.0.0) | mod_languages (3.0.0) | mod_feed (3.0.0) | JoomlaXTC K2 Content Wall (1.29.2) | mod_menu (3.0.0) | mod_users_latest (3.0.0) | K2 User (2.6.9) | K2 Content (2.6.9) | K2 Users (2.6.9) | mod_random_image (3.0.0) | mod_tags_popular (3.1.0) | mod_whosonline (3.0.0) | JoomlaXTC Power Tabs (1.1.12) | K2 Comments (2.6.9) | mod_articles_news (3.0.0) | JoomlaXTC Slide (1.2.0) | mod_related_items (3.0.0) | mod_articles_category (3.0.0) | JoomlaXTC Deluxe News Pro (3.46.0) | mod_articles_latest (3.0.0) | mod_breadcrumbs (3.0.0) | mod_tags_similar (3.1.0) | K2 Tools (2.6.9) | mod_articles_popular (3.0.0) | mod_banners (3.0.0) | K2 Login (2.5.7) | mod_articles_categories (3.0.0) | mod_finder (3.0.0) | mod_articles_archive (3.0.0) | mod_syndicate (3.0.0) | mod_login (3.0.0) | mod_custom (3.0.0) | mod_search (3.0.0) |
Modules :: ADMIN :: mod_feed (3.0.0) | K2 Quick Icons (admin) (2.6.9) | mod_status (3.0.0) | mod_menu (3.0.0) | mod_submenu (3.0.0) | mod_stats_admin (3.0.0) | mod_quickicon (3.0.0) | mod_title (3.0.0) | mod_latest (3.0.0) | mod_popular (3.0.0) | mod_multilangstatus (3.0.0) | mod_version (3.0.0) | mod_logged (3.0.0) | mod_login (3.0.0) | mod_custom (3.0.0) | mod_toolbar (3.0.0) | K2 Stats (admin) (2.6.9) |

Plugins :: SITE :: plg_editors-xtd_readmore (3.0.0) | plg_editors-xtd_image (3.0.0) | plg_editors-xtd_pagebreak (3.0.0) | plg_editors-xtd_article (3.0.0) | plg_search_tags (3.0.0) | plg_search_weblinks (3.0.0) | plg_search_categories (3.0.0) | plg_search_contacts (3.0.0) | plg_search_content (3.0.0) | Search - K2 (2.6.9) | plg_search_newsfeeds (3.0.0) | Josetta - K2 Items (2.6.9) | Josetta - K2 Categories (2.6.9) | plg_editors_tinymce (4.1.2) | plg_editors_codemirror (3.15) | plg_user_contactcreator (3.0.0) | plg_user_joomla (3.0.0) | plg_user_profile (3.0.0) | User - K2 (2.6.9) | plg_twofactorauth_totp (3.2.0) | plg_twofactorauth_yubikey (3.2.0) | JoomlaXTC Image Gallery plugin (1.1.2) | plg_content_vote (3.0.0) | plg_content_loadmodule (3.0.0) | plg_content_pagenavigation (3.0.0) | plg_content_pagebreak (3.0.0) | Appointment Book Manager (1.4.2) | plg_content_joomla (3.0.0) | AllVideos (by JoomlaWorks) (4.6.1) | AllVideos (by JoomlaWorks) (4.6.1) | plg_content_emailcloak (3.0.0) | plg_content_finder (3.0.0) | plg_extension_joomla (3.0.0) | plg_quickicon_extensionupdate (3.0.0) | plg_quickicon_joomlaupdate (3.0.0) | plg_authentication_ldap (3.0.0) | plg_authentication_joomla (3.0.0) | plg_authentication_cookie (3.0.0) | plg_authentication_gmail (3.0.0) | plg_system_languagecode (3.0.0) | plg_system_remember (3.0.0) | plg_system_logout (3.0.0) | plg_system_cache (3.0.0) | plg_system_redirect (3.0.0) | plg_system_languagefilter (3.0.0) | plg_system_highlight (3.0.0) | plg_system_log (3.0.0) | plg_system_debug (3.0.0) | plg_system_sef (3.0.0) | System - K2 (2.6.9) | plg_system_p3p (3.0.0) | plg_installer_webinstaller (1.0.5) | plg_captcha_recaptcha (3.0.0) | plg_finder_tags (3.0.0) | plg_finder_weblinks (3.0.0) | plg_finder_categories (3.0.0) | plg_finder_contacts (3.0.0) | plg_finder_content (3.0.0) | plg_finder_k2 (2.6.9) | plg_finder_newsfeeds (3.0.0) |
Templates Discovered :: wrote:Templates :: SITE :: beez3 (3.1.0) | protostar (1.0) | Agency (1.2.0) |
Templates :: ADMIN :: isis (1.0) | hathor (3.0.0) |

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Sun Feb 08, 2015 11:59 pm

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

jens.unerberg@web.de
SMTP error from remote mail server after RCPT TO:<jens.unerberg@web.de>:
host mx-ha03.web.de [212.227.15.17]: 550 Requested action not taken:
mailbox unavailable

------ This is a copy of the message, including all the headers. ------

Return-path: <info@ottawaprints.ca>
Received: from 83-65-36-90.work.xdsl-line.inode.at ([83.65.36.90]:4496 helo=KULISSE-WKS1)
by ecbiz158.inmotionhosting.com with esmtpsa (TLSv1:RC4-MD5:128)
(Exim 4.82)
(envelope-from <info@ottawaprints.ca>)
id 1YKazX-0007Ih-78
for jens.unerberg@web.de; Sun, 08 Feb 2015 18:10:17 -0500
From: "Peters EURL" <info@ottawaprints.ca>
To: "jens.unerberg" <jens.unerberg@web.de>
Subject: =?utf-8?q?Liste neuer Stellen f=C3=BCr Sie?=
Date: ---, 8 Feb 2015 23:10:04 GMT
Reply-To: <puquuxy@rescueteam.com>
Message-ID: <6980c618.1063b7cd117ecce9@KULISSE-WKS1>
Mime-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-OutGoing-Spam-Status: No, score=-1.8

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Mon Feb 09, 2015 12:00 am

mandville wrote:to sum up and help us more. can you run and post the fpa output as requested http://forum.joomla.org/viewtopic.php?f=621&t=582860
can you post an extract from the emails, ideally the header and the message subject/content
you host should be able to spot the "owner" of the email generation eg the script
hope the information below helps! Let me know if you need anything else.

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 14773
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: Website sending out spam emails

Post by mandville » Mon Feb 09, 2015 12:31 am

ok. is
jens.unerberg@web.de a member of your site?
what is sendong out your list of new blog posts? Liste neuer Stellen

is your email being spoofed?
Date: ---, 8 Feb 2015 23:10:04 GMT
Reply-To: <puquuxy@rescueteam.com>
The domain (rescueteam.com) is registered in the US, and has a history of being used for spam and fraud, but it is also used by legitimate users.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}

poujman
Joomla! Apprentice
Joomla! Apprentice
Posts: 10
Joined: Mon Feb 02, 2015 1:33 am

Re: Website sending out spam emails

Post by poujman » Mon Feb 09, 2015 12:49 am

mandville wrote:ok. is
jens.unerberg@web.de a member of your site? -nope
what is sendong out your list of new blog posts? Liste neuer Stellen -(no idea who this would be

is your email being spoofed? -possibly?
Date: ---, 8 Feb 2015 23:10:04 GMT
Reply-To: <puquuxy@rescueteam.com>
The domain (rescueteam.com) is registered in the US, and has a history of being used for spam and fraud, but it is also used by legitimate users.


Locked

Return to “Security in Joomla! 3.x”