xineoph - Thu, 2017/03/16 - 09:49

I just lost a lot of trust in the turnkey project. After setting up a fresh VM installation (form iso) of turnkey wordpress, I daily receive spam mails offering me services for my domain.  Paranoid as I am, I set up a new, unique e-mail alias to be used as wordpress admin, so I know for sure that this is the root cause of the spam.

At first, I appreciated the fact that e-mailing works just out of the box; but not for that price. Can anyone point me to where I can change the used smtp to one I trust?

Thanks

-X

Forum: 
Support
Tags: 
worpress
smtp
spam
Jeremy Davis's picture

Jeremy Davis - Thu, 2017/03/16 - 11:54
Not sure where the spam is coming from but I can assure you that it's not us! We hate spam as much as you do. We pride ourselves on not sharing user details (including emails) with ANYONE! EVER!

We have been in business over 8 years and the the best of my knowledge you are the first person ever to even suggest such a thing! I'm almost tempted to be offended because we have demonstrated again and again that we put our ideals first and our profits second. But I'm guessing you must be pretty new around here, so I'll give you the benefit of the doubt...!

FWIW TurnKey servers do not use an SMTP relay OOTB. They have postfix installed as an MTA and so send emails directly. We do recommend that you configure an SMTP for better email reliability though (sending emails direct can be quite hit and miss as often public IPs get abused by spammers - so often direct sent emails get blacklisted). Unless you have signed up to our newsletter, then we don't even have your email address, only your server does.

The only thing I can think of, is perhaps there is a contact form or something similar within the WP site which spammers are using? It's pretty common for spam bots to fill in forms and submit them. We have that happen all the time with this site.

The only other thing that occurs to me (and I think is probably a long shot) is did you set a really good password? Perhaps someone has managed to brute force access to your server?

xineoph - Thu, 2017/03/16 - 12:53

Hi Jeremy,

Thank you for the quick response. I'm sorry if I appeared offending, that was not my intention. You are right, I'm pretty new to Turnkey, used several apps for the last couple of years, but only for testing, really. Love your effort and what you do, though!

This being said, I'm still pretty convinced the WP instance somehow pushed my address somewhere it shouldn't have. It's still a vanilla WP setup; there is no real content (yet), so no published address, and there is no contact form. Hence, no way for traditional spam bots to get this info.

I also rule out brute forced admin access: it's a randomly generated, strong password. If they got that so quickly, they almost deserve to spam me. ;)

And if Turnkey uses an MTA, then the mails actually never left my ISP. Strange... Could it be that WP itself published my admin address? I find this also unlikely.

Anyway, I just found the doc for using smtp instead of MTA. I'll set this up, change the mail alias and see what happens.

-X

Jeremy Davis's picture

Jeremy Davis - Thu, 2017/03/23 - 08:38
No problems, I wasn't really angry or offended, just a bit shocked!

As to your concerns about the WP appliance. As I said, I am not aware of anyone else reporting something like that, so I'm inclined to doubt it.

However, it does come bundled with some (in our opinion) useful plugins. I'd like to think not, but if you are sure it couldn't have come from anywhere other than the appliance, then perhaps there is something not quite right with one of the plugins that are included? We double check them against what is available upstream, but we don't actually do a full code review on them every release (we have done some code review in the past, but it's a big job). Perhaps something malicious has been added upstream somewhere/somehow?

FWIW for the next release, we are actually not going to include any plugins pre-installed. We have had some feedback regarding the work required to remove the unwanted plugins almost defeats the purpose of having a prebuilt appliance. So moving forward, the default appliance will have none pre-installed, and instead will just suggest them (with links) on the default (custom) home page.

Please let me know how you go with the SMTP relay and your new alias. If we can confirm that there is something untoward happening, and even better still if we can work out exactly what, then we'd love to know.

xineoph - Tue, 2017/03/28 - 21:47

So I changed from MTA to my ISP's SMTP relay and created a new mail alias for the admin user. So far I've not received any spam anymore. Not on the new alias, nor the old one. This leaves this test a bit inconclusive, so far. I'll report if things should change.

But I agree, getting rid of bulded plugins may be a good idea. The ones the user actually wants are installed pretty quickly.

-X

Add new comment