We have a server with 300+ websites on it, and it has gotten an abuse letter from spamcop. We have investigated the logs, and searched for the PHPMailer version stated in the mail and all came up with nothing.
I was wondering if there is a chance for some sort of phpmailer script that is obfuscated or encoded, and how to find it. I am running NeoPi and Web Shell Detector, but so far nothing comes up.
Is there a way to monitor the outgoing port 25 and filter it with the domain name? The domain which the emails are supposed to be coming from is clean, I am suspecting that another code is using this domain because of its DKIM,SPIF etc.
Return-Path: <dianne.l@*****.com>
X-Original-To: x
Delivered-To: x
Received: by truhi.net (Postfix, from userid 132)
id 5BB8510057D; Sat, 29 Jul 2017 11:35:05 +0300 (EEST)
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on truhi.net
X-Spam-Level:
X-Spam-Status: No, score=0.0 required=3.1 tests=HTML_MESSAGE autolearn=ham
autolearn_force=no version=3.4.1
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=**.**.**.***; helo=a.**.com; envelope-from=dianne.l@*****.com; receiver=<UNKNOWN>
X-Greylist: delayed 319 seconds by postgrey-1.36 at truhi; Sat, 29 Jul 2017 11:35:04 EEST
Received: from a.**.com (mail.**.com [**.**.**.***])
by truhi.net (Postfix) with ESMTP id 0D6C4100164
for <x>; Sat, 29 Jul 2017 11:35:02 +0300 (EEST)
Received: by a.**.com (Postfix, from userid 33)
id 3075E922488; Sat, 29 Jul 2017 11:29:35 +0300 (IDT)
To: x
Subject: Enter our club as a lover
Date: Sat, 29 Jul 2017 11:29:35 +0300
From: "Dianne L." <dianne.l@*****.com>
Message-ID: <7fee________________________c316@www.*****.com>
X-Mailer: PHPMailer 5.2.23 (https://github.com/PHPMailer/PHPMailer)
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="b1_7feee464828bc148486a4b82f280c316"
Content-Transfer-Encoding: 8bit