{"id":148875,"date":"2018-10-29T20:54:00","date_gmt":"2018-10-29T19:54:00","guid":{"rendered":"http:\/\/www.lotsofways.de\/?p=148875"},"modified":"2018-10-29T20:54:00","modified_gmt":"2018-10-29T19:54:00","slug":"if-wordpress-suddenly-sends-spam-this-can-be-the-simple-cause","status":"publish","type":"post","link":"https:\/\/www.lotsofways.de\/en\/if-wordpress-suddenly-sends-spam-this-can-be-the-simple-cause\/","title":{"rendered":"If WordPress suddenly sends spam, this can be the simple cause"},"content":{"rendered":"[et_pb_section bb_built=”1″ fullwidth=”on” specialty=”off” next_background_color=”#000000″][et_pb_fullwidth_image _builder_version=”3.12.2″ src=”https:\/\/www.lotsofways.de\/wp-content\/uploads\/2018\/09\/spam.jpg” alt=”Crumpled advertising mail in a mailbox” title_text=”Crumpled advertising mail in a mailbox” \/][\/et_pb_section][et_pb_section bb_built=”1″ prev_background_color=”#000000″][et_pb_row][et_pb_column type=”1_2″][et_pb_post_title _builder_version=”3.4.1″ date_format=”d.m.Y” categories=”off” comments=”off” featured_image=”off” \/][et_pb_text _builder_version=”3.12.2″]\n

WordPress and other content management systems must be able to send e-mails. However, this also entails dangers. A practical example shows: Even without a hack, a WordPress installation can easily become a spam catapult and damage the reputation of the IP addresses and domains involved.<\/p>\n

Sending spam through WordPress: That happened<\/h2>\n

The web server on which the WordPress installation in question is located is well secured and not infected by malware. All sites and applications on the server send e-mails via the Amazon SES service, which acts as a smart host or SMTP gateway. Suddenly, it caught the eye: The proportion of bounces (undeliverable e-mails) and complaints (users or providers report spam) in relation to all e-mails sent increased significantly.<\/p>\n

This problem had to be analyzed and solved. By default, Amazon SES does not provide any information about which e-mails from which domain lead to bounces and complaints. Only an overview is available to the owner of the SES account. Total number of messages, rejects, bounces and complaints are displayed on the timeline:<\/p>\n

\"Amazon

Amazon SES Rejects, Bounces, Complaints<\/p><\/div>\n

In order to identify the cause of the problem, the account holder has to subscribe to notifications per domain. He configures a so-called SNS Topic for this purpose.<\/p>\n

\"Amazon

Amazon SES Notification Topics<\/p><\/div>\n

Result: Rejects, bounces or complaints are reported to the owner in the desired way, for example by e-mail in JSON format.<\/p>\n

\"Amazon-SES-Complaint-Notification\"

Amazon-SES-Complaint-Notification<\/p><\/div>\n

Clear advantage: As the owner of the Amazon SES account, we now know which domains are responsible for the increased spam volume. In the next step, the analysis continues. Is the amount of spam generated by the hosting customer directly in the e-mail client or on the workstation that sends it via SMTP? Or is the WordPress installation on the web server to blame, for example, because it was hacked?<\/p>\n[\/et_pb_text][\/et_pb_column][et_pb_column type=”1_2″][et_pb_text _builder_version=”3.12.2″] [card title=\"Spam Slingshot Contact Form\" text=\"text-darken-3 grey\" title_color=\"blue\"]\nMake sure that hackers cannot send e-mails in your name to uninvolved third parties. This abuse of WordPress and others CMS<\/a> as a spam catapult becomes possible if a contact form that is not sufficiently protected against spam entries sends automatic acknowledgements of receipt to the sender address entered in the form.
\n[\/card]\n[card title=\"Impending Danger\" text=\"text-darken-3 grey\" title_color=\"blue\"]\nWhen it comes to email deliverability, the reputation of the sender IP and sender domain are relevant. If spam messages are repeatedly complained about among your senders, you damage your reputation and risk that the deliverability of your legitimate messages decreases.
\n[\/card][card title=\"How can I further Reduce Spam?\" text=\"text-darken-3 grey\" title_color=\"blue\"]\nConfigure your email domain strictly by using SPF<\/a>, DKIM<\/a> and DMARC<\/a> and make your DMARC policy more restrictive step by step. In this way, you effectively prevent third parties from successfully sending spam on your behalf in other scenarios not addressed in this article. Messages are then rejected directly by the receiving server if they are not legitimate, without interaction with the recipient and thus a spam complaint. However, the integration of a strict DMARC policy requires experience and close monitoring. If it is too strict or incorrect, e-mails will be lost.[\/card]\n[card title=\"Help needed?\" text=\"text-darken-3 grey\" title_color=\"blue\"]\nEvery month we send a large number of legitimate emails to customers with a strong reputation focus and are happy to help with email deliverability and sender reputation. Please do not hesitate to contact us!
\n[link text=\"blue\" to=\"\/contact\/\"]Contact[\/link]\n[\/card] [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row][et_pb_column type=”2_3″][et_pb_text _builder_version=”3.12.2″]\n

Analysis of the e-mails sent by WordPress<\/h2>\n

The plugin “WP Mail Logging” does a good job in root cause analysis on the WordPress level.<\/h3>\n

It performs the simple task of logging all e-mails sent by a WordPress installation in tabular form. After WP Mail Logging has been installed and activated, a functional test is recommended, for example by triggering a password reset mail. If everything fits, we now have a functioning control system. It is supposed to tell us whether malicious software sends e-mails from our WordPress installation. A parallel malware scan is recommended, for example with WordFence or the Sucuri scanner. Sucuri also offers a nice guide to clean infected WordPress websites<\/a>.<\/p>\n

\"WP

WP-Mail-Logging-Overview<\/p><\/div>\n

The next step is to wait and see – as long as the admin does not find an acute infection of the WordPress website, which would also explain the unwanted sending of e-mails.<\/p>\n

In our current case, the analysis actually led to a result: the contact form was to blame. The website operator had insufficiently protected his form from spam entries and had also configured an automatic acknowledgement of receipt. Spammers could thus enter any sender addresses in the contact form. The automatic acknowledgement of receipt was sent to the contact form via WordPress, web server and Amazon SES as gateway.<\/p>\n[\/et_pb_text][et_pb_image _builder_version=”3.12.2″ src=”https:\/\/www.lotsofways.de\/wp-content\/uploads\/2018\/09\/WP-Mail-Logging-Details.jpg” alt=”Analyze WordPress spam with WP Mail Logging: Detail view of an abused e-mail” title_text=”Analyze WordPress spam with WP Mail Logging: Detail view of an abused e-mail” \/][\/et_pb_column][et_pb_column type=”1_3″][et_pb_text _builder_version=”3.12.2″] [card title=\"WP Mail Logging\" text=\"text-darken-3 grey\" title_color=\"blue\"]\nThe plugin WP Mail Logging by Christian Z\u00f6ller can be downloaded free of charge from the WordPress Repository. It logs e-mails sent by WordPress. This allows you to analyze the causes of unwanted emails sent by WordPress. Installation and configuration are a matter of a few seconds. We used the plugin reliably and quickly achieved the desired result.
\n[\/card]\n