cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Go to solution
Helper II

Workspace email: webformmailer.php hyjacked spam

I am getting attacked by a bot that is sending email through/to my webformmailer.php with No Sender and No Subject line. I get about 3 or 4 in the 15 min. intervals that the GD formailer typically cycles out (since Oct 13th close to a thousand). What I am saying here is that those two fields are coming in BLANK both in my WorkSpace mailbox and in the forwarded to another email address I’ve set up to me.

 

For years the email came to both places with the 

“formmailler@secureserver.net” .... in the From....(now BLANK)

my email address in the to.... (which is still happening)

“Form Submission (TimeStamp)....(now BLANK)

 

===================================The email Header

No Sender 

(No Subject)

To: info@mywebsite.net 

Authentication-Results: ⁨mta4082.aol.mail.gq1.yahoo.com  from=; domainkeys=neutral (no sig);  from=; dkim=neutral (no sig)⁩

X-Cmae-Envelope: ⁨MS4wfBhdOCk9YIRXn/Xn946VhhZWfctpa763uiYtJnPSlYtkrOF8vb3wblBYPYrnkl1sZSfu5rR8FWFtfjnOMVsQy5R8dt+FeHtGmkxGdV9rbOV177Mv1jdD VEfHsd2qWGiruBZF870m+We7uLbtckZrmbKZIX4a7K5Sgz6HcxXXphzszSb2AVW2zY6k4tGGzx16zORbTHGowZB9wy/jgdSP+82et8l++IvzBvL5PZbQVsUg⁩

X-Ymailisg: ⁨UiJLge0WLDtKv7VfHclfVUza_xnRUoSvYh94b.Ufii1T2sHn g50EG7KURsDmTHMU1kYkDBSzms38qd0H4pIUUdb_dFwMU0T.7Lib3mVdmgN8 ngyKYjvpTddy8XnCZFiYgeeKG7teOd3l4_GoXn3UJFerZz84tv3iLVf8zr8n Ydg6HOC5CLiUHzmsGMWMk2I8Yyv.LZVNuPBYlyaT7f3p_n1olLvHcSkLewSX 3wI4HwTCZr2akUQJvKczBPk5LAv1BZ1bR8cVJ4TyQuDJw1Z.czyW5hVG4TsR xjrZ92cBuAj8sYem7obXgVWq5QDpD.FiP0zDI4izmwZ1zo7yDBlbl_bevGV2 CavqEzxr6Z1_TAITfg9NoRtyOXucL.cVz47Gxw5xstu3cDOjHB5v5QWpBNrS 0BxdASCiis.b473coFzMwbGkeYhvIRmhrqYr40gVwc0t6.VGwJyoNOYSiJum kzAOAjwWhyVEtlkfB9ybUb9AydRX276beH_pbt6aAitQYzU4IhE2kL30V59y mOl_H8_0hULucz_TZxXL._DsHISG8c90yboV_0ziVqaml8RsNe7arp8ipAq3 ybsFFvHnh5wTD1Y8ZjncxBbxe77uN.3q4WIfeTLg2MQPW0NcucGfraRuGV9s mY8zin2L22S7S78vQR9tFcuf9iNsN.erGt0lUqetIC9e7soJJx7xd5E82cs1 1QeQUbyVlwU6ceClQlzAgh6rffAg6YOy6dyfgChxiIFTu0n.tMl_HxJzKvPd 01XHXVxasdfAorjGtHaVMNGg.WS6VYFF95jPA_KJ8_mUxYTr9iLn6_EJnv8. LvKB0iX1Bn_0n.Qjj_XbWD.dBAvheS25f3qZJiyGCETnkDJMQqGGtksRhDxc qUCXdy.h.sgKup7kDB6i8tlvePtLLuOJqFOF6292DGCyLY8oKRSMuPtaHJm. KfBsbtigi4cWN9stFPDEplgfwtbKFCwWiThH9C87onP6HPjZ1EN3.TLfwAgx svLVYWyI7IAbjWWz91yT9CWRSg35eFIXfydsRMJ5D8XwYS9s_jBb95SSV9HP WAZP09hLp49dbQTd9kXdnJp2EaSyXSkLCgk7gjnv0_1YnY16NOf7kC4GLkjg Q56LijQHS_ivwzDYvlDrdDtfXzu8UA--⁩

Return-Path: ⁨<SRS0=RtMy=M3=secureserver.net=mailer@bounce.secureserver.net>⁩

X-Yahoofilteredbulk: ⁨72.167.218.31⁩

X-Apparently-To: ⁨myforwardedemailaddress@aol.com; Mon, 15 Oct 2018 18:01:32 +0000⁩

X-Originating-Ip: ⁨[72.167.218.31]⁩

Content-Length: ⁨1425⁩

Received: ⁨from 127.0.0.1  (EHLO p3plsmtp02-01-26.prod.phx3.secureserver.net) (72.167.218.31) by mta4082.aol.mail.gq1.yahoo.com with SMTP; Mon, 15 Oct 2018 18:01:31 +0000⁩

Received: ⁨(qmail 16410 invoked from network); 15 Oct 2018 18:01:31 -0000⁩

Received: ⁨(qmail 16375 invoked by uid 30297); 15 Oct 2018 18:01:31 -0000⁩

Received: ⁨from unknown (HELO p3plibsmtp01-14.prod.phx3.secureserver.net) ([72.167.238.230]) (envelope-sender <mailer@secureserver.net>) by p3plsmtp02-01-26.prod.phx3.secureserver.net (qmail-1.03) with SMTP for <info@myemailaddress.net>; 15 Oct 2018 18:01:31 -0000⁩

Received: ⁨from p3nlsmtp19.shr.prod.phx3.secureserver.net ([72.167.234.244]) by bizsmtp with ESMTP id C7Atgq4jwn7f2C7BLgEWIN; Mon, 15 Oct 2018 11:01:31 -0700⁩

Received: ⁨from hostingcgi.secureserver.net ([97.74.58.29]) by : HOSTING RELAY : with SMTP id C7AMg1TNPKU5IC7AMgPgOZ; Mon, 15 Oct 2018 11:00:30 -0700⁩

Received-Spf: ⁨pass (domain of bounce.secureserver.net designates 72.167.218.31 as permitted sender)⁩

Delivered-To: ⁨info@myemailaddress.net⁩

Precedence: ⁨bulk⁩

=====================================The Form Email (just one sample of about 4 I’m getting every 15 min.)

From: formmailer@secureserver.net

Reply-To: info @ mywebsite . net

 

Subject: Form Submission Sun, 14 Oct 2018 15:43:37 -0700

Date: Mon, 15 Oct 2018 11:00:30 -0700

Content-Type: text/plain; charset="iso-8859-1"

X-CMAE-Envelope: MS4wfJqeiewOefuSemyavo9hSKypH4zuSGZDWq1Pzhey9Cbo7Upa2QYlnx9JtTzNsaGfpo2pZjweB2IRaQnTPefx0ZQFaL8cm8q1sK9Nu1TtwIx1VD/L/3I0

79prsbLfki/OTiFL3YrEgEGV2BEWzgiY8Q+ta1dlLWnjs3vQ3vAVaVOKhT9eGRcMnYARvbndMjFnzypz9Gls4JLP4DYcplv6CrQ=

 

Name_First: MINH

Name_Middle: MINH

Name_Last: MINH

degreetitle: There is offers

Co_title: There is offers

Company: google

Address_1_Type: Home

Add_Street_1: 

Add_City_1: РњРѕСЃРєРІР°

Add_State_1: Р РѕСЃСЃРёСЏ

Add_Postal_Code_1: 13043468264

Phone_type_1: 17209886820

Phone_1: 18591556829

Phone_type_2: 12259974204

Phone_2: 12176806032

Email: mommymack4707@gmail.com

Web_Page: http://bit.ly/2t9azX2

Diagnosis:  Hey What we have here is , - Join us now, and we will double or even triple your first deposit  

 

http://bit.ly/2JPUGiD

request:  Hey What we have here is , - Join us now, and we will double or even triple your first deposit  

 

http://bit.ly/2JPUGiD

Find_us?: elmschindler@gmail.com

What_else?:  Hey What we have here is , - Join us now, and we will double or even triple your first deposit  

 

http://bit.ly/2JPUGiD

Submit:  Submit

subject: Submission

-----

This e-mail was generated from a form submission on your website.

=============================================================

 

The Green (I added the color) above has never been in the body of the emails before.

 Anyone have a clue as to what to do?

4 REPLIES 4
Highlighted
Community Manager
Community Manager

Re: Workspace email: webformmailer.php hyjacked spam

Hi @DougL. Thanks for posting. I'm not sure why this would be happening, but if it continues, our advanced support team should be able to locate where the email is coming from using the address the mail is being sent to, and then pass this information to our security team. To facilitate that, please connect with our customer care team

 

JesseW - GoDaddy | Community Manager | 24/7 support available at x.co/247support | Remember to choose a solution and give kudos.
Helper II

Re: Workspace email: webformmailer.php hyjacked spam

Thank You JesseW for your response. I have a few other questions:

Do you think that this exploit allowed the spammers to send out spam emails to others using the GD Formmailler php and I could be blacklisted?

Can I AutoPurge from 'WorkSpace email' these without a "Sender" or "Subject" in the Header? I don't want it to AutoPurge my legitimate form mail.

 

Community Manager
Community Manager

Re: Workspace email: webformmailer.php hyjacked spam

@DougL - On the blacklist question, it's hard to say. It seems possible, though blacklists of this nature are usually specific to the sending IP, so it would be the reputation of our email server rather than your domain. We have a team that manages our email environment in regard to things like this, so even if there is a blacklist, it would likely be temporary. As for filtering the messages, the only options would be what are available in the webmail interface:

  • From
  • To
  • CC
  • To or From
  • To or CC
  • To or From or CC
  • Subject

 

JesseW - GoDaddy | Community Manager | 24/7 support available at x.co/247support | Remember to choose a solution and give kudos.
Helper II
Solution

Re: Workspace email: webformmailer.php hyjacked spam

OK this is my story for anyone interested...

After several days and thousands of these emails, chatting with Cloud on the chat line for a few hours and finding very little help but good conversations. I'm thinking that a couple of files got corrupted somehow. Still not sure why it would change the Headers and cycle through and resend the same emails over and over, weird. I did start with creating another email account and setting it up for the hosting to use in the Form Mail section. Having GoDaddy reinstall the php files (little checkbox in the same section you assign the email address for the form) and adding a blank field on the html form I created (validated only when blank/empty to stop bots). Haven't checked their php code for the webformmailler.php yet but the date was for sometime in 2017, I think my original version was from 2001. Oh, well, it's been 12 hours and all is well!!