Receiving constant blank emails...

[JustOneOldMan]

Hope someone can offer some words of wisdom here.  A couple weeks ago I started receiving blank emails from SMF.  No subject, no content.

I have 3 forums that use the same email address, and no way to tell which one they are coming from.  I get about 15-20 email per hour.  I can see in the header info that they are coming from SMF, and all have a UID of 30297 (though the QMail number changes).

As a test, I've changed all email addresses in all 3 forums to test emails, both the webmaster email and the admin email.  No change.  I've scanned all primary files for code injection, but haven't found anything.  Also turned off db_error_send in all 3 forums.

Even changing all email addresses to something else, I still get mail to the original address.  I also searched the databases to make sure I hadn't missed a stored email address somewhere.

After two weeks of getting these emails, and doing all the testing I can think of, I also tried hosting support (GoDaddy) which of course was no help.  Just wondered if anyone here could think of anything I've missed, or that could be causing this?  With no subject or content, the only thing I know is that it's coming from the original primary email address, coming to the original address, and that it's coming from SMF according to the header info.

Any thoughts would be greatly appreciated...

[Lou69]

Sounds sort of like the server email ( group mail ) on your host server is sending these. Have you used cPanel to look at that setup?

[JustOneOldMan]

Hi Lou69, thanks for the reply.  I did check that, but don't think it's the host.  The "X-Mailer" field in the email headers say "SMF".  I just can't figure out why...

[Sir Osis of Liver]

If the forum is sending emails to an address that's not in the database, and there's nothing in the forum files, then it's either a host problem or a hack that you haven't found.  If you put the forum in maintenance mode, do the emails continue?  What happens if you change one of the db settings in Settings.php and crash the forum?

[JustOneOldMan]

I haven't tried that yet, Krash.  The forums are relatively active on a 24 hour basis, and no one else has reported getting any of these emails, so I've been hesitant to take them down for any length of time.  I've thought about it as a last resort test, but thought I'd check first and see if anyone else had experienced this.

Host (GoDaddy) said there's nothing they can do after sending them an email header, and there's nothing in the CP that would cause it.  I haven't scanned all files for code injection yet, but did most of the standard ones.  It would seem, though, that a hack would use whatever email is available rather than retaining the original email address somewhere, but I guess anything is possible.

I'll keep looking and testing, and likely at some point take down the forums for a short period as a test.  If I find anything I'll post back...

[Zirkon]

When I used GoDaddy I had nothing but problems with mail sending. The problems would go away on there own... then come back weeks later. The next time you call them don't be surprised if they try to sell you on higher tier hosting VPS etc. After using them for a year it seemed like the problems were created by them deliberately to push you into a more expensive account and to get you to call them on the phone. It happened too many times to be a coincidence and always ended with them trying to move my tiny site to a VPS account. 

The minute I signed on with a new host the problem went away. I wouldn't pull your hair out on this one, but I would look for a new host.

[JustOneOldMan]

Though I've seen all the negatives over the years about GoDaddy, I'd always had good luck with them.  I've been with them for about 12-13 years, have about a dozen of my own domains there, and over 80 client domains/hosting accounts.  Everything always worked relatively well and I always got good support.  Till lately.  Lately I've had a number of issues there - partly I'm sure because of their recent server and database server migrations - and the support has gone 'Kirby/Hoover'.  They did quit trying to sell me anything extra quite a while back, though.

I've been very much disliking them of late, and have started using a few other hosts (currently Arvixe is my favorite).  But, changing these particular sites would be difficult.  A couple are 9-10 years old, and have a ton of attachments totaling many, many gigabytes.  More than Arvixe or any other host I've found will migrate for me without charge, and too much for me to download and re-upload.

It's not that it can't be done, and nothing that throwing some money at wouldn't solve, it's just not something I want to do right now if I can help it.  I've submitted yet another trouble ticket to them with more information, we'll see what happens.  Sometimes just getting the right tech person makes a difference.  I'm sure it will be 3-4 days before I hear anything, that seems to be standard now, but I'll give them one more chance...

[Zirkon]

It sounds like you aren't on there lower shared hosting platform tiers. I never had any contact with a tech that helped in any of the situations. Had nothing but frustration dealing with them. Sorry to hear you are having this issue, and I can't be of any more help.

Thank you for the heads up about Arvixe. Things aren't going to well for me right now with my current host and looking to move to another. Sitting here waiting for 10+hrs for a response or acknowledgement to a support ticket isn't cutting it with me.

[JustOneOldMan]

Hey Zirkon,

Most of my plans (or client plans) are on their shared hosting.  I used to get great support from GoDaddy, but it's really gone down the tube lately.  I did a lot of looking around, and there are lots of decent hosting companies out there, but I settled on Arvixe because they answered all my questions in a way that made me believe they knew what they were doing, and kept answering in a timely and knowledgeable way after I signed up.  And I like their plans and fees.  I even finally ended up becoming an affiliate - but not trying to sell anything here.  I just like them.

If you go that way, look for deals before you sign up.  They're always offering discounts.  I should say, though, that 10 hours isn't unusual for a response from a trouble ticket with any host.  You hope for less time, but it's not always the case.  If you need help faster a phone call is usually better...

[JustOneOldMan]

Well, four days later I finally got a response from the last trouble ticket I submitted to GoDaddy.  About what I expected.  They said from the email header I sent that it looks like a WordPress plugin (I don't have WordPress installed on that server) or some other app sending the emails.  Nothing they can do.  In addition to their now standard four day ticket turn around, the "has to be on your end and nothing we can do" mantra has me more than a little peeved.

And I still can't figure out where the emails are coming from.  No subject, no content, and no way to know which of the 3 sites/forums they're even coming from that use that email.  The only indication of anything is just the mention of SMF in the header, but of course not which installation of SMF.

I guess the next step is to try what Krash suggested - inform the members and crash all the forums for a couple hours as a test.  If the emails stop, bring them back one at a time.  And if not, I'm lost...

[Sir Osis of Liver]

How many forums are you running?  Are they all on the same account?  Windows or linux? 

[JustOneOldMan]

Krash, I actually have quite a few forums, but only 3 using this email address.  I have two forums on one domain (an 'archived' and a current), and this system is about 10 years old.  Then I have a 3rd forum on another domain using the same email.  This forum is only accessible by members that I register.

The problem seemed to start about the time GoDaddy was supposed to be migrating old (MySQL 4x) databases to updated V5 servers 3-4 weeks ago, which was the case for the 'archived' forum.  During this migration, they killed the database for the archived forums.  This led me to believe it was that system that was sending the emails and I first concentrated there.  I rebuilt the database there from a backup (no help from GoDaddy), but that didn't fix anything as far as the emails.

Since then I've been going through everything I can think of in all 3 forums.  I still haven't found any code injections anywhere through manual file edits, and I've scanned files by date hoping to see something unusual modified.

The simple timing aspect of the database migration and the database crash, and the emails starting to come in, keep pushing me back to something there.  I just can't figure out what...

[Sir Osis of Liver]

Can you post or pm one of the emails?

[JustOneOldMan]

Just deleted the latest batch before seeing your post, Krash, but give me a few minutes for new ones to come in and I'll PM one to you here...



#Edit:  PM sent, Krash...

[Sir Osis of Liver]

There are two questions here, what is sending the emails, and where is it getting the address.  All of the email functions in SMF query the database for an address to send an email.  In a basic install, addresses are saved in three tables -

  smf_settings - paypal_email
  smf_members - email_address
  smf_messages - poster_email

If you have mods installed, there may be other tables that store addresses.

The $webmaster_email address is stored in Settings.php and Settings_bak.php, not in the db, and updates in both when you change it in Server Settings.  All emails are sent from $webmaster_email to the recipient's email_address as found in smf_members, which is set in user Profile.

It appears that your $webmaster_email and email_address are the same, which is typical for forum owner. 

- If you change $webmaster_email, does From: in the mail header change?
- If you change email_address (in your Profile), does To: in the mail header change?
- Are you on a shared server or vps?

[JustOneOldMan]

I'm on shared hosting with these, Krash.

For each of the forums I did change the email addresses for webmaster and the profile, and did verify the address was changed in Settings.php, but didn't check Settings_bak.php.  Then I searched the entire databases using phpmyadmin for the original email address - all tables.

It didn't change either the From or To in the emails I was receiving.

After looking initially at the crashed forum database I did do this to all 3 forums at once, figuring if it fixed the issue I'd go back and reset addresses in one forum at a time till I found the problem area.

But, I'll go back again and do the same thing to one forum at a time and make sure I've hit every base.  Just in case I did miss something the first time around.  I know it almost has to be something I'm missing somewhere.  I'll post back anything I find - or don't.  And thanks again for looking at this...

[Sir Osis of Liver]

Doesn't make sense.  X-Mailer identifies SMF as sending software, but can't think of anything that could cause it to do this.  Almost seems like something is caught in a loop somewhere.  Are you using php or smtp mail?  Is mail queue enabled?  Anything in the queue?

[JustOneOldMan]

I know, I'm just baffled.

In all three forums mail queue is NOT enabled, there's nothing in the queue, and all three are using PHP.

I've just gone through all three forums one at a time and verified the change to webmaster mail, profile mail, checked both Settings.php and Settings_bak.php, and searched the databases.  Waited after every change till I got at least a dozen emails, and nothing.  Same from and to address.

Then I thought about the possibility I was using that email in another forum and had forgotten, but no.  Checked them all.

I did try Maintenance Mode just for kicks, and nothing there either.

I'm lost.  I have no idea where these are coming from.  I was hoping that GoDaddy could at least identify the domain they were coming from to narrow things down, but they couldn't/wouldn't/didn't want to.

They're definitely coming from SMF, but I don't have a clue how or which installation.  And other than Maintenance Mode I don't know how I could completely disable a forum temporarily without just uninstalling it, which I don't want do if I can help it.  Temporarily changing the database info so they can't access them doesn't do it, and of course changing the folder name doesn't do it.

I'll just keep fiddling with things, I guess, and if I stumble on something I'll post the findings.  Very strange...

[Sir Osis of Liver]

Can you do a text search of all the forum directories?  Probably a waste of time, but if there's a hack in there and it's in plain text, you should be able to find the email address.  It's not coming from the database or Settings.php, so if the emails are originating from a forum, would have to be hardcoded somewhere.

[JustOneOldMan]

Well Krash, you're a rock star and I'm a dumb xxx.  Well, me and GoDaddy.

You prompted me to do a full text search on all server script and text files in all the forums folders.  I searched for the standard base_decode stuff, and for my email address.  Had high hopes, but after using up a lot of server time found nothing.

Then I though to myself, why not just do a full search of the root and all folders on the servers.  First run on the single forum server found nothing, but on the other server I found something that jogged an old memory.

Last summer, I had created an onsite backup of a forum during a problem period.  I'd left the forum intact, put it in a folder with an obscure name, and disabled it.  I backed up the database, renamed it to something obscure, and created a new one for the new install.  Then I forgot about it.

The recent 'migration' GoDaddy performed 3-4 weeks ago on some servers and all V4 database servers had (along with two current working databases) corrupted that old database.

So, even though the forum backup was shut down (Maintenance Mode 2), and I'd thought everything else there was static and non-functional, it was that old forum and database backup that was sending the emails.  I have to blame myself for not remembering or thinking of that old backup earlier, but on the other hand if GoDaddy hadn't destroyed at least 3 of my databases I guess the email problem would never have surfaced.

Sorry to have wasted so much of your time, but if you hadn't suggested the full text search I may never have finally figured this one out.  I still don't know why I got the emails from that disabled forum, or why the email would have been completely blank instead of at least telling me there was a database error or something, but I haven't had one in over an hour now and I believe the issue to be resolved.

Thanks for sticking with it and pushing me to look deeper.  Appreciate it, and lesson learned.  I won't even use being old as an excuse...