cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Webformailer.php attack - receiving thousands of e-mails

Hi,

 

I'm seeing the same problem that was encountered by this user in October 2018:

 

https://www.godaddy.com/community/Managing-Email/Workspace-email-webformmailer-php-hyjacked-spam/m-p...

 

Mainly, every 15 minutes, I receive several e-mails like the one below.

 

Is there any way to disable this?

 

Thanks,

 

Ken

----

 

Return-Path: <webformmailer@bhomcenter.org>
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43])
	 by sloti21d1t25 (Cyrus 3.1.6-329-gf4aae99-fmstable-20190329v1) with LMTPA;
	 Mon, 01 Apr 2019 18:31:17 -0400
X-Cyrus-Session-Id: sloti21d1t25-1554157877-2942760-2-2190120313903582481
X-Sieve: CMU Sieve 3.0
X-Spam-known-sender: no
X-Spam-orig-subject: <No Subject>
Subject: {SPAM 16.8} <No Subject>
X-Spam: high
X-Spam-score: 16.8
X-Spam-hits: BAYES_99 3.5, BAYES_999 1.2, ME_NOAUTH 0.01, ME_VADESPAM 5,
  ME_ZS_CLEAN -0.001, MISSING_DATE 1.36, MISSING_FROM 1, MISSING_MID 0.497,
  MISSING_SUBJECT 1.799, RCVD_IN_DNSWL_NONE -0.0001,
  RCVD_IN_MSPIKE_H3 0.001, RCVD_IN_MSPIKE_WL 0.001, TVD_SPACE_RATIO 0.001,
  TVD_SPACE_RATIO_MINFP 2.499, LANGUAGES frcaen, BAYES_USED user,
  SA_VERSION 3.4.2
X-Spam-source: IP='72.167.234.237', Host='p3nlsmtp12.shr.prod.phx3.secureserver.net',
  Country='US', FromHeader='unk', MailFrom='org'
X-Spam-charsets: 
X-Resolved-to: kenboorom@fastmail.com
X-Delivered-to: kenboorom3@fastmail.com
X-Mail-from: webformmailer@bhomcenter.org
Received: from mx4 ([10.202.2.203])
  by compute3.internal (LMTPProxy); Mon, 01 Apr 2019 18:31:17 -0400
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
	by mailmx.nyi.internal (Postfix) with ESMTP id 4430A60111
	for <kenboorom3@fastmail.com>; Mon,  1 Apr 2019 18:31:17 -0400 (EDT)
Received: from mx4.messagingengine.com (localhost [127.0.0.1])
    by mx4.messagingengine.com (Authentication Milter) with ESMTP
    id 4F71B1EF8E9;
    Mon, 1 Apr 2019 18:31:17 -0400
ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=fm2; t=
    1554157877; b=VA4Dvdp/xoMzenVICraY+H9yYntkkbfsZw/xZtceITOV8eqoUk
    oHQQty/x5jEGP35XxCvQle6aFidgbC6N80NPRf7NXCf3CCQcVoYbT+Lyb/KCNguc
    xz54qi1fZP1oDMK5BtY/wQAoKmGNJCbb87A+dbdb4Wn3WkVyKpj3EY73NNkHGvr4
    zHvLdEMkybRKcy8OYcxHEPC8UoZaeTq7FwlZcoTHmIAu82LaKysUkKkq1g3sbgqQ
    xyocsee78Nyo95JKBYKjFd/ehh9seVBYSdKjz6l3UuaXxCF2Q6zifxd8NlmZL2R1
    BFxZitlVFCLbOMomYhGOdDZKGkbXgYHSKcFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=
    messagingengine.com; h=to; s=fm2; t=1554157877; bh=RxKfijOwz7x7t
    Uaf3KGUahJCeE9qKkhSZ+S2+/45IJw=; b=3X4S3BzvYqYOEr0Bj3dfuJVilFSX6
    yyM7Tcwnb40o/DXrgZxLAKacLLO5pVvXPASyZZ7kax9o8h5OvIfXTFJWN11dlsKW
    OG2UYkTmGiB7v3M20YdmBxYVcwXGzyk5YDx+kZkGhAhku61pjPA7zWu8cbA7aGC9
    7cHkiooIj+v8OU3RJRNVkpqcBG90bvDPsZx4ojQ2CL/JsP1n6LjGo1f3xIWgJiB0
    Ltk1XO4hOPVHq+o4bhRQuHn6Gt2WaMta5hXLYoyl5w1x9w0lqOiCU9YxXAIpRrTj
    cH9wmtnOeqqFjUXZ0W5EyGlGZ2oz67vW89gzMfof+kZz6er9XlijmL1NQ==
ARC-Authentication-Results: i=1; mx4.messagingengine.com; arc=none (no signatures found);
    dkim=none (no signatures found);
    dmarc=permerror;
    iprev=pass smtp.remote-ip=72.167.234.237
    (p3nlsmtp12.shr.prod.phx3.secureserver.net);
    spf=none smtp.mailfrom=webformmailer@bhomcenter.org
    smtp.helo=p3nlsmtp12.shr.prod.phx3.secureserver.net;
    x-aligned-from=null_header (No header domain);
    x-ptr=pass smtp.helo=p3nlsmtp12.shr.prod.phx3.secureserver.net
    policy.ptr=p3nlsmtp12.shr.prod.phx3.secureserver.net;
    x-return-mx=pass smtp.domain=bhomcenter.org policy.is_org=yes
    (MX Record found);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES128-GCM-SHA256
    smtp.bits=128/128;
    x-vs=spam score=500 state=1;
    x-zs=clean
Authentication-Results: mx4.messagingengine.com;
    arc=none (no signatures found);
    dkim=none (no signatures found);
    dmarc=permerror;
    iprev=pass smtp.remote-ip=72.167.234.237
      (p3nlsmtp12.shr.prod.phx3.secureserver.net);
    spf=none smtp.mailfrom=webformmailer@bhomcenter.org
      smtp.helo=p3nlsmtp12.shr.prod.phx3.secureserver.net;
    x-aligned-from=null_header (No header domain);
    x-ptr=pass smtp.helo=p3nlsmtp12.shr.prod.phx3.secureserver.net
      policy.ptr=p3nlsmtp12.shr.prod.phx3.secureserver.net;
    x-return-mx=pass smtp.domain=bhomcenter.org policy.is_org=yes
      (MX Record found);
    x-tls=pass smtp.version=TLSv1.2 smtp.cipher=ECDHE-RSA-AES128-GCM-SHA256
      smtp.bits=128/128;
    x-vs=spam score=500 state=1;
    x-zs=clean
X-ME-VSCause: gggruggvucftvghtrhhoucdtuddrgedutddrleehgddtlecutefuodetggdotefrodftvf
    curfhrohhfihhlvgemucfhrghsthforghilhdpggftfghnshhusghstghrihgsvgdpuffr
    tefokffrpgfnqfghnecuuegrihhlohhuthemuceftddtnecuogfhohhrsghiugguvghnjf
    gurhculdehtddtmdenucfjughrpefvsedttddttddttdenucfkphepjedvrdduieejrddv
    feegrddvfeejpdeljedrjeegrdehkedrvdejnecurfgrrhgrmhepihhnvghtpeejvddrud
    eijedrvdefgedrvdefjedphhgvlhhopehpfehnlhhsmhhtphduvddrshhhrhdrphhrohgu
    rdhphhigfedrshgvtghurhgvshgvrhhvvghrrdhnvghtpdhmrghilhhfrhhomhepoeifvg
    gsfhhorhhmmhgrihhlvghrsegshhhomhgtvghnthgvrhdrohhrghequcfukfgkgfepudeg
    heeknecuvehluhhsthgvrhfuihiivgeptd
X-ME-VSScore: 500
X-ME-VSCategory: spam
X-ME-ZSResult: clean
Received-SPF: none
    (bhomcenter.org: No applicable sender policy available)
    receiver=mx4.messagingengine.com;
    identity=mailfrom;
    envelope-from="webformmailer@bhomcenter.org";
    helo=p3nlsmtp12.shr.prod.phx3.secureserver.net;
    client-ip=72.167.234.237
Received: from p3nlsmtp12.shr.prod.phx3.secureserver.net (p3nlsmtp12.shr.prod.phx3.secureserver.net [72.167.234.237])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx4.messagingengine.com (Postfix) with ESMTPS
	for <kenboorom3@fastmail.com>; Mon,  1 Apr 2019 18:31:16 -0400 (EDT)
Received: from hostingcgi.secureserver.net ([97.74.58.27])
	by : HOSTING RELAY : with SMTP
	id B5RWhj50HkysKB5RWhkYJV; Mon, 01 Apr 2019 15:30:14 -0700
To: kenboorom3@fastmail.com
Message-ID: <cmu-lmtpd-2942760-1554157877-6@sloti21d1t25>
Date: Mon, 01 Apr 2019 18:31:17 -0400

From: webformmailer@bhomcenter.org
Reply-To: kenboorom3@fastmail.com

Subject: Form Submission Fri, 22 Mar 2019 05:55:00 -0700
Date: Mon, 01 Apr 2019 15:30:14 -0700
Content-Type: text/html; charset="iso-8859-1"
X-CMAE-Envelope: MS4wfOl61/yyZ6xx33aF8E5O2ZiW1jHMElLQ1Np/60me54MFUkptvR9JlAExmei5jJm4ddyCUegF3SZ1ZmmALdWmdGYVer/BVu0t2EftBthbb7fC9v9yWZhe
 kme/OYGLN3ocvDOxYq45rw2GNf6feYO6COyHnJVWsToIYAThrotHcRD35Tw81/vRuPLdnTLHOK8XFdCEdb7Pt/Zv0GTi1sZdeIE=

<table><tr><td>
<table border="1" cellspacing="1" cellpadding="2">
	<tr>
		<td><b>email</b></td>
		<td>crawlerMail</td>
	</tr>
	<tr>
		<td><b>httpagent</b></td>
		<td>Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36</td>
	</tr>
	<tr>
		<td><b>httpref</b></td>
		<td>http://bhomcenter.org/clinic/assays.htm</td>
	</tr>
	<tr>
		<td><b>ipip</b></td>
		<td>72.37.244.68/gdform.php91.201.66.76</td>
	</tr>
	<tr>
		<td><b>notes</b></td>
		<td>1</td>
	</tr>
	<tr>
		<td><b>OKTOUSE</b></td>
		<td>NOT_OK</td>
	</tr>
	<tr>
		<td><b>subject</b></td>
		<td>Form Submission</td>
	</tr>
	<tr>
		<td><b>visitor</b></td>
		<td>1</td>
	</tr>
	<tr>
		<td><b>visitor_place</b></td>
		<td>1</td>
	</tr>
</table>
</td></tr><table>
1 REPLY 1
Resolver VI

Hello kboorom

I hope you are well. This is very bad situation and you can resolve this issue by following these tips;

1. Contact customer care team 

2. Add email address of sender in blacklist

3. Reinstall the php files

https://pk.godaddy.com/help/using-our-php-form-mailers-on-web-and-classic-hosting-8376

 

Zulfiqar Anees | Founder/CEO at FastTech Media, TechMag, TechKnowable, and ZulWeb | GoDaddy Pro.