Email spam possibly delivered through WP Mail SMTP

Replies: 0

I don’t know if this is a WP Mail SMTP problem or a JetPack Sharing problem, but hundreds of emails a day are being sent through, I believe, WP Mail SMTP, via my API connection to GMAIL. I’m getting hundreds of bounce backs to my email Google Mail Address connected to my Google Developers Account.

Here’s a screenshot of my inbox: https://nimb.ws/rnNT6d

I have Sucuri Malware Scanner on my site and I don’t see any indication of a hack. Plus, I’m running a multisite and the only site in the network sending this spam is the only one connected to WP Email SMTP via the Google API.

Here is the header of just one of thousands of messages that are being sent through my site:

Delivered-To: az@xxxxxxxxxx.com
Received: by 2002:a54:2487:0:0:0:0:0 with SMTP id m7csp1016202eco;
        Wed, 15 Jun 2022 04:58:03 -0700 (PDT)
X-Received: by 2002:a05:6402:270a:b0:431:43f6:1e02 with SMTP id y10-20020a056402270a00b0043143f61e02mr12246954edd.317.1655294163580;
        Wed, 15 Jun 2022 04:56:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1655294163; cv=none;
        d=google.com; s=arc-20160816;
        b=uvIA4FkXdgXtIbWvsw1DbQSyUUnW0WvDkvBrH3Huvqan6Ii/EAiPwieKSTg+Vh/oC4
         HMgSYRLpCIuz4W2zoaws6bvcpRH8DpaHpTOforpv+tych7/QKwWT07QV8Six+HRIgVWD
         FpeEDiGathb720xGjYX/P5prsy7DjVLhO0ro+XMh4RzgkDKS9bdv16Q+AMigAg+tI9vP
         /Us/ernpOtpp5As9oWDR1oB9RqdtKrrAG9rhGPsu/ESH7+IZoaOEtpuzVeQsxtbreyW1
         9S2tmnxGiEjNS+hy/7UiYOLABwr/4Ul5+5vQ/XBeglvfKSdwNlT96Y1KyDBUgpT347DB
         AAGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=in-reply-to:references:subject:from:date:message-id:auto-submitted
         :to:dkim-signature;
        bh=dWRgSh7MHM5Q3l1bxyaPSTYG1GW+r9pNtPEsv7P0a1s=;
        b=WX2il1OtnDcbH3oDtv83klikSs+avVNW3DWKogVaGSmkf88J1D1VeA6dxIhPYzsFfD
         9kTdjmJ/InobR6HyVECBbWWqkf4empn2vsTadH/cAFcrmJ5m0VmtbybdYh5wCMgVdk9V
         8tniiMDIxy4SX9VUeY4hPW6vrFbwZD/iXRwE1V4j/TGS6r8fPnDTkP62OcjwFdL1lEhw
         sJh/fvboWvMtwOh7yNN8l8xURzM3kbSDD7jMEn3yPPyCmQ6k1gLyj1vqgmcoRC4blfje
         mXtFdI4KaIslWXIVTX36QkxCfCjd0iwsXxYJG5Wl92557IhwFNgPoZyxdOVCDVxlN2NV
         268A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@googlemail.com header.s=20210112 header.b=khSALBH6;
       spf=pass (google.com: best guess record for domain of postmaster@mail-sor-f69.google.com designates 209.85.220.69 as permitted sender) smtp.helo=mail-sor-f69.google.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com
Return-Path: <>
Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])
        by mx.google.com with SMTPS id c4-20020a1709060fc400b00704dc822cffsor4665022ejk.31.2022.06.15.04.56.03
        for <az@xxxxxxxx.com>
        (Google Transport Security);
        Wed, 15 Jun 2022 04:56:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of postmaster@mail-sor-f69.google.com designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@googlemail.com header.s=20210112 header.b=khSALBH6;
       spf=pass (google.com: best guess record for domain of postmaster@mail-sor-f69.google.com designates 209.85.220.69 as permitted sender) smtp.helo=mail-sor-f69.google.com;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=googlemail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=googlemail.com; s=20210112;
        h=to:auto-submitted:message-id:date:from:subject:references
         :in-reply-to;
        bh=dWRgSh7MHM5Q3l1bxyaPSTYG1GW+r9pNtPEsv7P0a1s=;
        b=khSALBH6iKbmKzq5+SvtiA3q8GMEND0mKQGcN1OeZJ1PvskhiZpMqrUU8Sw/vOg3Vs
         BRMb58A75Vx3CVcTMGq7UpfIrnNco9SR8oGfxGMKwGpLpaU9T9Xk/Lk2LdUNESFTWokO
         Rh0XOUobkzgyq3fsmbxk6mvUUenmZGK2deOwsLHH2Vui4i3h3iARTJ4DnvpBhUG4z/Sr
         7VUnhw8YXP+6CfnbDgmP+yhr9Ofw3LlupdusKpt+UMUB0Aw+AaZ25IGaLTSfr1Zixls2
         T0h1jWeQG3uJseMUK83Ba87Lgzqi7dvJ989ID/rCspeoJL7qXOzBkN8ls0bjA99Fl94r
         YMaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:to:auto-submitted:message-id:date:from:subject
         :references:in-reply-to;
        bh=dWRgSh7MHM5Q3l1bxyaPSTYG1GW+r9pNtPEsv7P0a1s=;
        b=r2K5PAzGHlxWCEOo8zWSe183q5wjrbzaG6T5K1w8Vm9/o4gK8jaSpkCsNf+9aWKhs+
         yZ/cA9xZPJoxvhU5cERk2nZblryvs6mpxXDomFnGu7ukeqmiQAOFx4bDWzpYnlyGvbN8
         /DUIMtPMZbyCP8VXQGob4gZw3rfhHG6Sx+tmX47zJiouJgpLJgIST3KGg2avSbTNHoIl
         CIj5Yj1DkT4Oetnyh1nyOpaG49Hw31SGBli+G1ULD1ij+auwDZrBlEYh7J+zEs3OyaQg
         dUW43dlyyVYJNxW3W5JJzp7zGV2Py9J+Igvw2DBiHQcoRiBPLfYmcryaz/+wmq7yJEQ7
         humw==
X-Gm-Message-State: AOAM5317z+TH8l/IIyZx5Y2ib4hy5c+J4baKK8Jy9RwYSRnBX66RFWnx vwZ9tOYECfmhnXyILxGTIMbkMxHLBor/ksJSra92Gg==
X-Google-Smtp-Source: ABdhPJzJvktxAnUkw6GslAdJVVWD+hplm3CRgfMkA+IMRAKDGDAo/SXEy/FjlGHx5LkLbEiIjeKSf3fTRr4KAq04rF4VYpUXtqw1JfI=
X-Received: by 2002:a17:907:a424:b0:702:f94a:a897 with SMTP id sg36-20020a170907a42400b00702f94aa897mr8480278ejc.255.1655294163443;
        Wed, 15 Jun 2022 04:56:03 -0700 (PDT)
Content-Type: multipart/report; boundary="0000000000009c53c305e17b34d7"; report-type=delivery-status
To: az@digitalstrategyworks.com
Received: by 2002:a17:907:a424:b0:702:f94a:a897 with SMTP id sg36-20020a170907a42400b00702f94aa897mr5401153ejc.255; Wed, 15 Jun 2022 04:56:03 -0700 (PDT)
Return-Path: <>
Auto-Submitted: auto-replied
Message-ID: <62a9c8d3.1c69fb81.eec68.f360.GMR@mx.google.com>
Date: Wed, 15 Jun 2022 04:56:03 -0700 (PDT)
From: Mail Delivery Subsystem <mailer-daemon@googlemail.com>
Subject: Delivery Status Notification (Failure)
References: <CAATTXz4=ct43Y5R9nRks4x7a49BvBjMEj3oKK+s1nNpEvqL6fw@mail.gmail.com>
In-Reply-To: <CAATTXz4=ct43Y5R9nRks4x7a49BvBjMEj3oKK+s1nNpEvqL6fw@mail.gmail.com>
X-Failed-Recipients: 250292384@qq.com

--0000000000009c53c305e17b34d7
Content-Type: multipart/related; boundary="0000000000009c59a905e17b34e4"

--0000000000009c59a905e17b34e4
Content-Type: multipart/alternative; boundary="0000000000009c59b205e17b34e5"

--0000000000009c59b205e17b34e5
Content-Type: text/plain; charset="UTF-8"

** Message not delivered **

There was a problem delivering your message to 250292384@qq.com. See the technical details below, or try resending in a few minutes.

Learn more here: http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000724
(Warning: This link will take you to a third-party site)

The response from the remote server was:
550 Domain frequency limited [MORv3C5CCiXxPdYAy6ESClo3NLtn0wJqqEht2ZZAP0B2P/7qttmflAxC7GBgTddvjQ==  IP: 2a00:1450:4864:20::62f]. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000724

--0000000000009c59b205e17b34e5
Content-Type: text/html; charset="UTF-8"

<html>
<head>
<style>
* {
font-family:Roboto, "Helvetica Neue", Helvetica, Arial, sans-serif;
}
</style>
</head>
<body>
<table cellpadding="0" cellspacing="0" class="email-wrapper" style="padding-top:32px;background-color:#ffffff;"><tbody>
<tr><td>
<table cellpadding=0 cellspacing=0><tbody>
<tr><td style="max-width:560px;padding:24px 24px 32px;background-color:#fafafa;border:1px solid #e0e0e0;border-radius:2px">
<img width="72" height="72" alt="Error Icon" src="icon.png" />
<table style="min-width:272px;padding-top:8px"><tbody>
<tr><td><h2 style="font-size:20px;color:#212121;font-weight:bold;margin:0">
Message not delivered
</h2></td></tr>
<tr><td style="padding-top:20px;color:#757575;font-size:16px;font-weight:normal;text-align:left">
There was a problem delivering your message to <a><b>250292384@qq.com</b></a>. See the technical details below, or try resending in a few minutes.
</td></tr>
<tr><td style="padding-top:24px;color:#4285F4;font-size:14px;font-weight:bold;text-align:left">
<a href="http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000724">LEARN MORE</a>
</td></tr>
<tr><td style="margin-top:8px;font-style:italic;font-size:12px;color:#757575">
<img width="12" height="12" alt="Warning" src="warning_triangle.png" />
This link will take you to a third-party site
</td></tr>
</tbody></table>
</td></tr>
</tbody></table>
</td></tr>
<tr style="border:none;background-color:#fff;font-size:12.8px;width:90%">
<td align="left" style="padding:48px 10px">
The response from the remote server was:<br/>
<p style="font-family:monospace">
550 Domain frequency limited [MORv3C5CCiXxPdYAy6ESClo3NLtn0wJqqEht2ZZAP0B2P/7qttmflAxC7GBgTddvjQ== IP: 2a00:1450:4864:20::62f]. http://service.mail.qq.com/cgi-bin/help?subtype=1&&id=20022&&no=1000724
</p>
</td>
</tr>
</tbody></table>
</body>
</html>

--0000000000009c59b205e17b34e5--
--0000000000009c59a905e17b34e4
Content-Type: image/png; name="icon.png"
Content-Disposition: attachment; filename="icon.png"
Content-Transfer-Encoding: base64
Content-ID: <icon.png>

--0000000000009c59a905e17b34e4
Content-Type: image/png; name="warning_triangle.png"
Content-Disposition: attachment; filename="warning_triangle.png"
Content-Transfer-Encoding: base64
Content-ID: <warning_triangle.png>

--0000000000009c59a905e17b34e4--
--0000000000009c53c305e17b34d7
Content-Type: message/delivery-status

--0000000000009c53c305e17b34d7
Content-Type: message/rfc822

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=digitalstrategyworks.com; s=google;
        h=from:reply-to:mime-version:date:message-id:subject:to
         :content-transfer-encoding;
        bh=jAoEGDDDkbV45AMkMfwUQZqhU4r/TkiigORWOrCbcrE=;
        b=AvxQsQvCYJdriuZD+QCSrdsSHPpHYWp2B+slnxICBHgVkvR9WjF+QisjAYj7GYtG2+
         IOaMknNzWmGSuDZjti0mRdYaeRDdagx9CAQLTto2dM4vf2IX5DmR/uUPapYss8Ukh0gH
         xBluGv/QEQmpEFlN3ktKLTUgNLbMImqpoQ3sE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:from:reply-to:mime-version:date:message-id
         :subject:to:content-transfer-encoding;
        bh=jAoEGDDDkbV45AMkMfwUQZqhU4r/TkiigORWOrCbcrE=;
        b=jq8qqMuQv4LnAIvCFQU3Ndx2KTUKr/LPA6B/eemX+sH0fD5e9+a8bfjotzHp8pOHtg
         eghU06iSKfxUzuCPusJ2heSQa05ki71wcXD89OcxCJoEmoGH0d/LpIPB/TVSbwUAcxMA
         UXPNBOUZwboCw+JpsDtF1TOdQy18YBpESW92T74vFG7YfxKafpNSRBzNtuOxfIjMwjDm
         MEorwxJm40rjwhqSGI0Ppak51qLZ1zjgma6sAskqcABenalYcLDAiFUh2rLQBTxQxSNO
         ll/+FNE4ZZMPr2EKwRAYzTmvvdHAkWLYgv2lRD98IZfbnpCLa/5rOmabt2y8KuwBBnQX
         IvHA==
X-Gm-Message-State: AOAM532/9oNEa7Crukya5G8Kys0cluRBsOtj3SFcN/b54YRHhW3sUFwg OzJ8sVVL5ebylaTt73yb/6yb3qiZbeyuCh2jRdwjPbNxyaI=
X-Google-Smtp-Source: ABdhPJynPwmK3S4gTsp9yWOze8g9A3+1dyLLiULQMSqU+xqdSD9nPtlh+3FD1jMeqyZkxfDpSz+vPBpaJV677fnMhWg=
X-Received: by 2002:a17:907:a424:b0:702:f94a:a897 with SMTP id sg36-20020a170907a42400b00702f94aa897mr8480133ejc.255.1655294160948; Wed, 15 Jun 2022 04:56:00 -0700 (PDT)
Received: from 136468384894 named unknown by gmailapi.google.com with HTTPREST; Wed, 15 Jun 2022 06:47:41 -0500
From: "注册送38元【澳门金沙集团】：www.014784.com/? 最最最最火爆，高额奖池“PT电子”无限喷发，强势来袭!" <az@digitalstrategyworks.com>
Reply-To: "注册送38元【澳门金沙集团】：www.014784.com/? 最最最最火爆，高额奖池“PT电子”无限喷发，强势来袭!" <Sendtoafriend@zdnet.fr>
X-Mailer: WPMailSMTP/Mailer/gmail 3.4.0
MIME-Version: 1.0
Date: Wed, 15 Jun 2022 06:47:41 -0500
Message-ID: <CAATTXz4=ct43Y5R9nRks4x7a49BvBjMEj3oKK+s1nNpEvqL6fw@mail.gmail.com>
Subject: [Shared Post] PMPress
To: 250292384@qq.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64

5rOo5YaM6YCBMzjlhYPjgJDmvrPpl6jph5Hmspnpm4blm6LjgJHvvJp3d3cuMDE0Nzg0LmNvbS8/
IOacgOacgOacgOacgOeBq+eIhu+8jOmrmOmineWlluaxoOKAnFBU55S15a2Q4oCd5peg6ZmQ5Za3
5Y+R77yM5by65Yq/5p2l6KKtIQ0KIChTZW5kdG9hZnJpZW5kQHpkbmV0LmZyKSB0aGlua3MgeW91
IG1heSBiZSBpbnRlcmVzdGVkIGluIHRoZSBmb2xsb3dpbmcgcG9zdDoNCg0KUE1QcmVzcw0KaHR0
cHM6Ly9kaWdpdGFsc3RyYXRlZ3l3b3Jrcy5jb20vcG0tcHJlc3MvDQo=

--0000000000009c53c305e17b34d7--

• This topic was modified 2 hours, 21 minutes ago by Steve Stern (sterndata).