Pro Sites sending spam?

I reported an issue with Pro Sites in another thread (https://premium.wpmudev.org/forums/topic/strange-behavior-with-pro-sites) but that thread has several issues and I need to isolate one of them. I suspect that Pro Sites is sending spam, or something else is going on.

At least two of my users have reported getting the "Your Pro Sites status has expired" email. They are getting them even though they status cannot expire because in both cases the sites are permanently upgraded.

The email they are getting is this one:

Unfortunately the Pro status for your site Cups of tea with Jackie
(http://nameofdomain.com) has lapsed.

You can renew your Pro Site status here:
?bid=11

If you're having billing problems please contact us for help:
http://mysite.com/contact/

Looking forward to having you back as a valued member!

The creepy thing her is that in the other thread, @aaron reminded me to customize that email for my network and I did. One of my users received that email from her website from the email address of wordpress@nameofdoman.com where the name of the domain was her actual website. Internally, within the Pro Sites settings, that particular email no longer appears that way and is modified. I confirmed by viewing the email's source code that it is indeed coming from my server, but how and why? These sites are not expiring and the email sent doesn't event match with the email template I created in the settings.

So far, only two people have reported this and I'm concerned that other upgraded users are as well, but haven't reported it yet. IN the case above the only action taken by the site owner on her site was to write a post, save as a draft and preview it. I can also confirm that the site's upgrade has not expired and there is nothing in the history log for the site either.

I'm ranking this problem as a rather important one to figure out why Pro Sites is launching these emails. Not only is it just sending the emails, but it is also sending them using the default template - the whole thing makes us look messy and the two who reported it are wondering why my network is sending them spam.

  • Saunt Valerian
    • The Bug Hunter

    As far as calender timing is concerned there no pattern I can see. One was sent on 25 March and the other was sent on 26 March (2 different users, on 2 different subsites - both are permanently upgraded).

    Yes there are other plugins (buddypress, marketpress) but they don't change emails, they send their own. No, I'm not currently using any caching plugins.

    Also note that the one sent on the latest ones that were sent used the default template, not the customized branded template I created, which makes it even more weird - even though I changed the email in the settings, is the default template still stored somewhere in the database or in a PHP file?

  • aecnu
    • WP Unicorn

    Greetings Saunt Valerian,

    Chiming in after reviewing the ticket and the symptoms and all of it sounds to me like possible foul play to include the email address and the missing or more accurately incomplete URL.

    I would try giving Wordfence Security plugin a shot and tell it to check the whole installation to include a malware etc. scan.

    It is free and the upgraded version, though I bought it myself, the paid version is primarily for blocking entire countries and it is really good stuff.

    Please let us know if it finds anything or stops this type of email action.

    Cheers, Joe

  • Aaron
    • CTO

    Ok, does it say in the appropriate log an entry like "Expired email sent to..."?

    Any time that email is sent, it should add a log item. It would also in every case add a "status withdrawn" message to the log.

    If worst comes to worst, you can always disable expire emails with this:
    define('PSTS_NO_EXPIRE_EMAIL', true);

  • Saunt Valerian
    • The Bug Hunter

    No, there is no log entry about it. And it continues to send the default expiration email (the one that you wrote into the plugin). This is even well after I remembered to change it on your advice, which makes me wonder how it is happening. When one actually expires, it should be sending my edited email.

    I actually received on of the emails for my own blog yesterday (again my blog on the network is manually and permanently upgraded).

    I'm going to drop in your define statement and see if that makes a difference. I'm going to monitor this and report back.

  • Jack Kitterhing
    • Code Norris

    Hi there @Saunt Valerian

    I hope that you are well today and sorry for the extreme delay on this one.

    Are you continuing to receive the emails? Or did they stop? Did the define help at all?

    Please advise, I'm happy to assist further :slight_smile: And I'll also ping @Aaron again just to make sure he is aware of this thread still :slight_smile:

    Thank you! Sorry again about the delay.

    Kind Regards
    Jack.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.