While investigating an issue with my mail server, I've found something quite curious and a bit upsetting in the Mail Queue Manager in WHM ... It looks like there's some spam being generated from the ******** account via the vBulletin PHP mail form:

https://vborg.vbsupport.ru/attachment.php?attachmentid=148066&d=1391469384

Here's the Extended Header code:

Date:
Tue, 21 Jan 2014 11:26:23 -0500
From:
********
Subject:
Spend $12 and earn up to $4000 a week... GUARANTEED!!
Auto-Submitted:
auto-generated
Content-Transfer-Encoding:
8bit
Content-Type:
text/plain; charset="ISO-8859-1"
Message-ID:
<20140121162553.c0c0dea600f4@www.********.com>
MIME-Version:
1.0
Received:
from nobody by vps.********.com with local (Exim 4.80)
(envelope-from <nobody@vps.********.com>)
id 1W5e9f-0008Ju-0p; Tue, 21 Jan 2014 11:26:23 -0500
Return-Path:
********
T To:
sord1992@gmail.com, sordinska@gmail.com, sorinsas60@gmail.com, sornpong24@gmail.com, sorokamail@mail.ru, sorrell116@bellsouth.net, sorrell116@yahoo.com, sory_mal@yahoo.com, soshanya@gmail.com, sosna345@gmail.com, soso09@ediffmail.com, sosumi02@gmail.com, soswalker@gmail.com, soubanpk@hotmail.com, sougatadas56@gmail.com, souhail40@gmail.com, souissihoucine12@yahoo.fr, soul_lich10@yahoo.com, SOUL010683@HOTMAIL.COM, soul100@hotmail.co.uk, soule990@aol.com, soulhealer12@hotmail.com, soulplayca@gmail.com, soulsanogo2007@yahoo.fr, soulsearch3r@gmail.com, ----SNIP - there are what appears to be hundreds more email address listed here...
X-Mailer:
vBulletin Mail via PHP
X-Priority:
3

-------------------
-------------------
vBulletin does not automatically generate such code. This seems malicious and should NOT be happening.

My server admin has told me the following:

This indicates that there may have been a vBulletin webmaster account compromise. The last occurrence appears to be from Jan. 21. Unfortunately, the DSO PHP handler do not have logs so we cannot determine what component of vBulletin is at fault.

Any additional ideas on what could cause this and how to fix the issue so it never occurs again will be very much appreciated!

J.

1) Don't allow guestst to email users.

2) ACP--> Settings --> Options --> Site Name / URL / Contact Details, find the setting, Allow Unregistered Users to use 'Contact Us' ans set it to "No"

3) Your forum might have been compromised. Run the Suspect File Versions tool and look for anything suspicious, most notably, anything that says File does not contain expected contents. If there's anything that says File not recognized as part of vBulletin, that's normal, as it's from modifications you have. Just make sure all those modifications are modifications you installed yourself.

Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?

Ohhh, and you may want to run this query to get rid of any more emails:

TRUNCATE TABLE mailqueue;

If you are using a table prefix, be sure to add it before mailqueue.

If you think you have been hacked then follow this. But you would be best to follow post 2 as it looks like that is your problem

First you need to follow our advisory about deleting the install folder off your forums.

Then please read the following two blog posts:
http://www.vbulletin.com/forum/blogs...ve-been-hacked (http://www.vbulletin.com/forum/blogs/zachery/3993888-fixing-your-site-after-you-have-been-hacked)

http://www.vbulletin.com/forum/blogs...vbulletin-site (http://www.vbulletin.com/forum/blogs/zachery/3993849-best-practices-for-securing-your-vbulletin-site)

Also please see these recent security announcements:

vBulletin 4.1.x-4.2.x & All versions of vBulletin 5: http://www.vbulletin.com/forum/forum...-1-vbulletin-5 (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5)
vBulletin 5.0.x patch released, for a different security issue: http://www.vbulletin.com/forum/forum...d-all-versions (http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3993204-vbulletin-5-connect-security-patches-released-all-versions)

Thanks so much for the tips Chris and ForceHSS. Much appreciation!

Excuse me for asking also but, didn't you just publish the email addresses of some of your users in a open forum?
No I didn't. I would never do such a thing.

For clarification: The spam email had NOT been sent to forum members, but rather to email addresses that appear to be compiled from a generic mail list. The email address listed in the op is part of that generic mail list.

Thanks again guys. Off to do more troubleshooting.

J.

Please report back any findings, so we can see what's going on. :)