Why your site is being Spamvertized – and what to do about it.
You’re running a popular and honest WordPress website and all of a sudden an abuse ticket arrives in your email from your hosting provider. They tell you your website is being “Spamvertized” and they’re receiving complaints.
So what does this mean?
A site being “spamvertized” means that the site is being included as a link in spam emails. The most common reason your site appears in spam emails when you’re not the spammer is because your site has been hacked by someone.
The hacker places a small piece of code somewhere on your site that redirects a user to a different site. They do this because including their own website in emails they send will immediately flag spam detectors. Their site is already a known-bad-site. So they’d rather spamvertize your site to try and get more emails through spam filters.
This works for a while until your website is also associated with spam and they have to move on to another “clean” website that they can spamvertize and that will redirect to their own site.
Once the hacker has sent out enough spam that includes a link to your site (which redirects to their site), your website becomes associated with spam (and blocked by spam filters). This is about the time you find out that your site is being “spamvertized” because your host will receive complaints about emails that include links to your site.
This is one of the main reasons today why WordPress sites are hacked – because spammers need new “clean” sites to spamvertize and redirect to their own sites.
So, what should you do about this?
Firstly, install Wordfence. We do a great job of hardening your site against attacks and preventing hackers from gaining access. Even if they do gain access, Wordfence will alert you that your files have changed and no longer match what is in the official WordPress repository or that your site contains malicious URL’s in your files or in the database.
Today we’ve gone one step further to help deal with sites that are hacked and spamvertized. We have added two premium features will act as early warning systems if your site is being spamvertized.
The first feature is labeled “Check if this website is being “Spamvertised”” on your Wordfence options page.
This checks your site domain name against several of the largest spam databases. These databases are updated in real-time and are very large and active. If your site domain name is being included in spam emails (spamvertized) , this will usually catch it early and will show an issue during a Wordfence scan. If you have Wordfence email alerts set up, you will be emailed as soon as Wordfence detects this.
The next feature is labeled “Check if this website IP is generating spam” on your Wordfence options page.
We detect what the IP address of your WordPress website is and then we check if that IP is a known source of spam or if it’s on one of the lists of IP addresses of known hacked machines on the Net.
If your site has been hacked and is generating spam, as opposed to being spamvertized, then we’ll detect that too. This is an important test because if you’re on a shared host, another customer using the same IP address may be generating a lot of spam from your IP address. The impact is that legitimate customer emails originating from your site are being caught in spam filters and you don’t know why. So this feature is a great way to make sure that your website is running on a clean IP address.
Both these features are in the newest version of Wordfence which has just been released – Wordfence 5.0.9. We’ve also included a new advanced comment spam filter that adds an additional layer of spam filtering to your comment system and runs alongside Akismet and our free comment filter that looks for malware URL’s.
So if you’re a premium customer, upgrade now to Wordfence 5.0.9 to get access to these great new features and protect the email reputation of your website. If you’re not already a premium Wordfence customer, you can sign up for Wordfence Premium by visiting this page.
Regards,
Mark Maunder – Wordfence Founder.
Comments
1:36 pm
Hi Mark,
Thanks for the post, you guys are wonderful.
Just some few questions:
What happens if a site is listed un-intentionally listed on the database.
Who manages the database
Are there other databases
10:45 pm
Good question. All the blacklists seem to list spam sources, not the linked sites within spam emails. However, I think it is safe to assume that if someone is spamming and linking to an infection on a hacked website, then the hacked website will be on a database. Usually Google will inform you if your website has been hacked or you can use an online scanner to check.
One example that I can think of is http://www.avg.com.au/resources/web-page-scanner/
I dont think that there are any lists or databases that you can actively check, but you can always check the standard blacklists such as http://whatismyipaddress.com/blacklist-check
I think that the best way to protect yourself is twofold. Firstly, ensure that emails can not easily be sent claiming to be from your domain by setting up SPF headers so that any system checking the authenticity of the email will see that the sender is not authorized to use your domain.
Secondly, setup antivirus such as clam and set it to update and scan each night. Also look at installing a firewall, antimalware and preventing uploads of certain types of files that could be damaging such as php or images that contain php.
12:34 pm
Hi Zion,
If your site is listed, Wordfence provides instructions on what to do about it. The DB's we use are reputable and we don't foresee any problems.
Regards,
Mark.
1:50 pm
I wonder would I get any issues if iThemes Security already runs on a (multisite) WordPress environment and I then add WordFence? Or shouldn't I?
4:10 pm
hi
My site and many other sites I work on have wordfence installed. Lately we have been inundated with emails saying
"A user with IP address 101.229.49.160 has been locked out from the signing in or using the password recovery form for the following reason: Used an invalid username 'admin' to try to sign in."
Often its not just the user name admin but many other different names.
My clients are very worried because it keeps happening.
Is this robots attacking their sites or real humans?
And what can be done about it??
Should it be something we worry about?
Also is there a setting in the free version that can combat this.
One of my clients site is still under construction but shes getting 100s of these emails.
What can we do please?
Thanks Jodi
10:30 pm
Hi Jodi,
It sounds like you are being protected against attacks as expected. Wordfence is working exactly as designed and is protecting your site as it is supposed to. These alert emails can be disconcerting though, so if they create a sense of paranoia with you or your clients, I'd recommend disabling the alerts. Instead, when you want an update of malicious activity, either view the Wordfence widget on your admin dashboard which gives you a high level overview, or go to the "Live Traffic" page where you can see individual attacks.
Hope that helps.
Regards,
Mark.
5:10 am
I keep getting this error:
[Feb 11 13:04:43]Checking if your site IP is generating spam Problems found.
But it doesn't give me any additional information, or instructions on how to fix.
Please help!
9:18 am
We strive to provide excellent customer service to both our free and paid customers. We aren't able to do support in our blog comments.
We do offer product support for the free version of Wordfence and have staff there daily to answer questions. If you have the free version of Wordfence, please use our Wordfence forums here for product support: http://wordpress.org/support/plugin/wordfence.
If you are a paid customer, please open a ticket on our Premium ticketing system where you can view and track tickets : http://support.wordfence.com
We look forward to helping you in the appropriate channel.