After I made GRAV live, my site started sending out thousands of spam emails

I have a site that’s been up 15 years and it’s been going smooth until the other day when I decided to make my GRAV install live. 12 hours after this happened, the system email address started being used by bots/spammers to send thousands of emails from my server and my email address.

What is going on? I change my email address password and I’m talking with support about getting the smtp password changed, but this is insane. What kind of serious problem is there with GRAV that something can use it to send thousands of spam emails?

I’m open to any suggestions, but I’m this close to completely walking away from GRAV and putting my old system back up because something this insecure is just crazy.

Is there any way to track how this could be happening within GRAV? Any logs that I can look at?

The one thing I know is that this is related to GRAV so I’m hoping someone here has some good ideas.

One thing- I just disabled the “email” plugin by selecting “disabled” for the email engine, hopefully that will help.

One thing I want to mention is that the site has no contact form, in fact, it’s about as simple as it gets (I haven’t rebuilt about 90% of the old site, just a couple pages.) How could someone exploit it so easily and so quickly?

i don’t know if it’s related to Grav, i have about 15 Grav site with no issues. I think it’s something related with your server, have you tested if the server is not an Open Relay, or blacklisted. You can check the headers of the mails, run test with mxtoolbox etc

I’ll see about that. However, it is related to GRAV because it started several hours after GRAV went live, and for the 15 years before that, I never had a problem of this nature on any level. Someone’s gotta be accessing internal grav email functions somehow.

What should the email plugin settings be, I mean, I just left them at default, is that secure?

did you turn debug mode on live site ? because it’s not recommended, because everyone can see email settings (password etc), Debug mode only on local


Grav doesn’t really do anything special with email, in fact there’s actually no default emailing at all. do you have any logs regarding the spam emails that might shed some light on it’s origins other than just ‘timing’?

The logs haven’t been helpful. The emails stopped once I disabled the email plugin. I’ll just use something else to handle contact forms.

If you have a form that sends emails you can try the captcha field or even the honeypot field. Those should stop any automated email spam submissions. Again that’s not really a grav thing. Any form that sends an email is going to be targeted the same no matter the platform. Maybe the new form looked a certain way and triggered it for target.

You’re right, it happens that way sometimes, except I haven’t added a contact form yet.

I would really love to find out what’s going on here. If there is a legitimate error, I want to fix it. Can you enable the plugin again and see if things kick off again?

Sorry for the delay in response. I’m reluctant to do anything that might create more problems with my host. I did a lot of digging around and like you, I can’t really see how the grav form/email plugin could cause this issue. I’m beginning to think maybe it was just a horrible coincidence. I’ll enable the plugin again once I get a contact form going on that site and then we’ll see what happens. Thanks for taking the time to discuss this.