[ask] Puluhan Ribu Email Masuk

[Muktasir]

yg pernah saya alami.. salah satu penyebabnya ada spammer yang menggunakan domain kita dan ditolak / bouncing karena gak valid. cuma efeknya, replynya mailer daemonnya ke kita. padahal spamnya di hosting lain.

Buka aja salah satu email tsb, lihat headernya.. pengirim spam dari hoster mana. terus laporin biar disuspend / blacklist

Ini isi didalam emailnya master:

================================================
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on hostnameku.hostingku.co.id.

The message identifier is: 1e3IUd-0007VP-PB
The subject of the message is: This program will fill your pockets with cash!
The date of the message is: Sat, 14 Oct 2017 0927 +0000

The address to which the message has not yet been delivered is:

[email protected]
host mta6.am0.yahoodns.net [63.250.192.45]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<[email protected]> SIZE=3314:
421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
Reporting-MTA: dns; hostnameku.hostingku.co.id

Action: delayed
Final-Recipient: rfc822;[email protected]
Status: 4.0.0
Remote-MTA: dns; mta6.am0.yahoodns.net
Diagnostic-Code: smtp; 421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
Return-path: <[email protected]>
Received: from domainku1 by hostnameku.hostingku.co.id with local (Exim 4.89)
(envelope-from <[email protected]>)
id 1e3IUd-0007VP-PB
for [email protected]; Sat, 14 Oct 2017 1628 +0700
To: [email protected]
Subject: This program will fill your pockets with cash!
X-PHP-Script: domainku.com/modules/mod_related_items/ropijeaw.php for 184.168.193.69
X-PHP-Filename: /home/domainku1/public_html/modules/mod_related_items/ropijeaw.php REMOTE_ADDR: 184.168.193.69
Date: Sat, 14 Oct 2017 0927 +0000
From: "Kevin D." <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_85b22d2faa3b5b0c0f4dc1da80a65e58"
Content-Transfer-Encoding: 8bit
================================================

 

[Muktasir]

Hapus file ropijeaw.php seperti yang sudah diinfokan rekan2 diatas dan konfirmasi ke user suspend bila perlu.
itu biasanya ada (base64_decode didalamnya, coba dilihat dulu sebelum dihapus.

jika iya login ke ssh kemudian masik ke cd /home/usernamebersangkutan lalu grep file base64_decode barang kali masih ada file serupa didalam cpanel tersebut.
bisa pakai perintah grep -lr --include=*.php "(base64_decode" maka nanti akan muncul file php yang mengandung base64 didalamnya.
namun jangan asal hapus semua file dari hasil grep tadi, silahkan cek dahulu scriptnya jika mencurigakan silahkan hapus.

sekedar informasi tambahan saja, mungkin bisa dimatikan fungsi phpmail diserver untuk mengurangi kejadian serupa.
barangkali rekan2 yang lain juga bisa nambahin tips2nya untuk mencegah hal tersebut selain mematikan fungsi yang sudah saya sebutkan.

Udah saya coba master, belum berhasil. saya coba restore backup dari tanggal" sebelumnya dan lihat hasilnya juga sama, ampek juga saya terminate akunya dan saya create ulang juga sama masih dapat email masuk.
#Nangis Enyong

 

[mas.satriyo]

saya coba terminate akunnya master dan saya tunggu beberapa menit kemudian saya coba create akun lagi dan anehnya saya coba login webmail untuk memastikan apakah masih dapat email tersebut / tidak, ehh ternyata masih

1. coba hapus file /home/<username>/public_html/modules/mod_related_items/ropijeaw.php
sebab tertera di mail header, script pengirimnya (X-PHP-Script dan X-PHP-Filename) adalah file tersebut
2. apakah ini muncul setelah pakai plugin atau template null? jika ya, hapus plugin tersebut
3. turunkan maksimum mail delivery per-hour menjadi 1 untuk sementara atau matikan dulu sementara atau blokir seluruh port outgoing mail, sebab jika aktivitas spamming ini terus berlanjut, resiko suspend bahkan blacklist dari upline selaku pemilik IP. Tidak menutup kemungkinan bisa juga dikenakan denda

 

[Muktasir]

1. sudah saya coba master untuk hapus ropijeaw.php namun masih sama.
2. Tidak, saya tidak update plugin / menambah plugin".
3. Saya kurang paham, dengan cara ini:
a. caar turunkan maksimum mail delivery per-hour menjadi 1?
b cara matikan atau blokir seluruh port outgoing mail?

Mohon petujuknya master @mas.satriyo

 

[Bestariweb Hosting]

Ini isi didalam emailnya master:

================================================
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on hostnameku.hostingku.co.id.

The message identifier is: 1e3IUd-0007VP-PB
The subject of the message is: This program will fill your pockets with cash!
The date of the message is: Sat, 14 Oct 2017 0927 +0000

The address to which the message has not yet been delivered is:

[email protected]
host mta6.am0.yahoodns.net [63.250.192.45]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<[email protected]> SIZE=3314:
421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
Reporting-MTA: dns; hostnameku.hostingku.co.id

Action: delayed
Final-Recipient: rfc822;[email protected]
Status: 4.0.0
Remote-MTA: dns; mta6.am0.yahoodns.net
Diagnostic-Code: smtp; 421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
Return-path: <[email protected]>
Received: from domainku1 by hostnameku.hostingku.co.id with local (Exim 4.89)
(envelope-from <[email protected]>)
id 1e3IUd-0007VP-PB
for [email protected]; Sat, 14 Oct 2017 1628 +0700
To: [email protected]
Subject: This program will fill your pockets with cash!
X-PHP-Script: domainku.com/modules/mod_related_items/ropijeaw.php for 184.168.193.69
X-PHP-Filename: /home/domainku1/public_html/modules/mod_related_items/ropijeaw.php REMOTE_ADDR: 184.168.193.69
Date: Sat, 14 Oct 2017 0927 +0000
From: "Kevin D." <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_85b22d2faa3b5b0c0f4dc1da80a65e58"
Content-Transfer-Encoding: 8bit
================================================

bingung nganalisanya kalau IP, hostname, domain di hide / disamarkan..

 

[mas.satriyo]

1. sudah saya coba master untuk hapus ropijeaw.php namun masih sama.

a. caar turunkan maksimum mail delivery per-hour menjadi 1?
b cara matikan atau blokir seluruh port outgoing mail?

coba tunggu beberapa jam ke depan, sampai antrian email habis
cek mail queue juga
pakai control panel apa? ada akses root?

 

[Bestariweb Hosting]

Udah saya coba master, belum berhasil. saya coba restore backup dari tanggal" sebelumnya dan lihat hasilnya juga sama, ampek juga saya terminate akunya dan saya create ulang juga sama masih dapat email masuk.
#Nangis Enyong

mau terminate account ya pasti tetep masuk lah.. lha wong itu mail delivery error

 

[Bestariweb Hosting]

The address to which the message has not yet been delivered is:

[email protected]
host mta6.am0.yahoodns.net [63.250.192.45]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<[email protected]> SIZE=3314:
421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html

gini lho mas mas..

email ini hanya "dampak" dari spammer..
sekali lagi ini bukan email spam, tapi dampak dari spammer..
ada kemungkinan email spamnya sdh dikirim beberapa hari sebelumnya.

contoh dari header di atas, [email protected] tela melakukan banned email dari [email protected] (pelaku spam).
Karena email yg dikirim ribuan, maka report kegagalan pengiriman juga akan 6 kali lipat jumlahnya dari email yg dikirim. (mail delivery system akan terus memberitahu pengirim kalo emailnya ditolak tiap sekian jam karena statusnya delay. biasanya tiap 4 jam CMIIW). kalo sehari 24 jam, artinya ada 6 kali lipat dari jumlah email spam yg dikirim.

cara mengatasinya, sementara filter aja (DELETE EMAIL from Mail Delivery System). biasanya ini hanya terjadi dalam 2 atau 3 hari saja seandainya penyebab spam telah disuspend.

 

[Bestariweb Hosting]

1. coba hapus file /home/<username>/public_html/modules/mod_related_items/ropijeaw.php
sebab tertera di mail header, script pengirimnya (X-PHP-Script dan X-PHP-Filename) adalah file tersebut
2. apakah ini muncul setelah pakai plugin atau template null? jika ya, hapus plugin tersebut
3. turunkan maksimum mail delivery per-hour menjadi 1 untuk sementara atau matikan dulu sementara atau blokir seluruh port outgoing mail, sebab jika aktivitas spamming ini terus berlanjut, resiko suspend bahkan blacklist dari upline selaku pemilik IP. Tidak menutup kemungkinan bisa juga dikenakan denda

pembatasan hanya untuk outgoing.. yg ditanyakan TS incoming dari Mail Delivery System. Walau sdh dilimit atau di terminate, incoming mail dari mail delivery system akan terus terjadi sampai 48 jam berikutnya

 

[Bestariweb Hosting]

Ini isi didalam emailnya master:

================================================
This message was created automatically by mail delivery software.
A message that you sent has not yet been delivered to one or more of its
recipients after more than 48 hours on the queue on hostnameku.hostingku.co.id.

The message identifier is: 1e3IUd-0007VP-PB
The subject of the message is: This program will fill your pockets with cash!
The date of the message is: Sat, 14 Oct 2017 0927 +0000

The address to which the message has not yet been delivered is:

[email protected]
host mta6.am0.yahoodns.net [63.250.192.45]
Delay reason: SMTP error from remote mail server after pipelined MAIL FROM:<[email protected]> SIZE=3314:
421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html

No action is required on your part. Delivery attempts will continue for
some time, and this warning may be repeated at intervals if the message
remains undelivered. Eventually the mail delivery software will give up,
and when that happens, the message will be returned to you.
Reporting-MTA: dns; hostnameku.hostingku.co.id

Action: delayed
Final-Recipient: rfc822;[email protected]
Status: 4.0.0
Remote-MTA: dns; mta6.am0.yahoodns.net
Diagnostic-Code: smtp; 421 4.7.0 [TSS04] Messages from IPku 203.xxx.xx.xx temporarily deferred due to user complaints - 4.16.55.1; see https://help.yahoo.com/kb/postmaster/SLN3434.html
Return-path: <[email protected]>
Received: from domainku1 by hostnameku.hostingku.co.id with local (Exim 4.89)
(envelope-from <[email protected]>)
id 1e3IUd-0007VP-PB
for [email protected]; Sat, 14 Oct 2017 1628 +0700
To: [email protected]
Subject: This program will fill your pockets with cash!
X-PHP-Script: domainku.com/modules/mod_related_items/ropijeaw.php for 184.168.193.69
X-PHP-Filename: /home/domainku1/public_html/modules/mod_related_items/ropijeaw.php REMOTE_ADDR: 184.168.193.69
Date: Sat, 14 Oct 2017 0927 +0000
From: "Kevin D." <[email protected]>
Message-ID: <[email protected]>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_85b22d2faa3b5b0c0f4dc1da80a65e58"
Content-Transfer-Encoding: 8bit
================================================

Maaf, 184.168.193.69 IP sampeyan atau bukan? sy check rDNS via https://www.whatsmydns.net/#PTR/184.168.193.69 hasilnya p3nlhg413.shr.prod.phx3.secureserver.net ?? spam dikirim dari IP tersebut