Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

FascistDonut's avatar

Laravel SMTP being hijacked

I have 2 servers. One of them has my Laravel app on it, the other has our exim email service. Laravel sends outgoing emails via smtp through the email server. Somehow, the email account that laravel uses keeps getting used as open SMTP relay to send thousands of spam emails.

None of the other email accounts are ever used to send spam like this. If I change the credentials on the Laravel server (different email account, different password), then the new one is used to send spam again. I use bitbucket as our git repo and the password credentials are stored in the .env file. If I disable sending on cpanel for that email account, then laravel is still able to send through the email server because the relay doesn't check the account hold status or process cpanel rules.

I have outgoing spam monitor set up on the cpanel server and that does show me when it happens and it will hold the outgoing mail but then that triggers the max deferrments and prevents the entire server from sending mail (which we use for the rest of our business).

At this point I'm at a loss for where to go from here... all I know is that someone is somehow using my laravel (or credentials stored there) to send spam and I can't seem to stop it.

Please help!

Edit: I'm currently on Laravel 5.7.29 due to it being a giant backend for our business that I haven't been able to upgrade past that so far because of dependencies/time limitations.

Update: I have now been able to update to Laravel 5.8.38 (not sure if this has any bearing on the current issue or not)

0 likes
16 replies
fylzero's avatar

@fascistdonut First two things I would check are to make sure your env isn't exposed. Like by hitting your site url /.env to see if that is being displayed to the world.

The other thing I would look for is any type of form vulnerability. Like do you have a contact form where you are passing credentials or even just a to email address? Maybe someone is just riding a form exploit?

Check to make sure any forms have throttling enabled.

Start changing your SMTP email credentials more often.

Check Bitbucket and make sure your .env is NOT part of the repo. .env file should be in .gitignore and not added to your repo.

Check to make sure .env.example does not have live credentials in it.

2 likes
FascistDonut's avatar

@fylzero Thanks for your suggestions. I just verified that the .env file is not available via direct URL . It did have the DEBUG=true flag on it, so I went ahead and removed that and updated the credentials again. The .env.example file is in bitbucket, but it does not have any credentials in it.

I have updated the credentials 5+ times in the last month or so and it seems like the problem recurs within a week.

I just checked bitbucket and have confirmed that the .env file is not stored there and is on the .gitignore list.

As far as I can tell, there aren't any public facing forms anywhere. The site itself only has the laravel login form. From there, there are a few reports and some of them send the output as emails on the backend, but it isn't anything that gets filled out and sent on the client side... it is more like you click a link, then the route runs on the server and the server sends the result to the distribution list on the backend. We mainly use it as API only - all the front end stuff that gets used by our internal users is all on a standalone vue app that consumes it.

fylzero's avatar

@fascistdonut Having APP_DEBUG set to true could absolutely expose this. That may very well have been where someone was able to exploit credentials. Goodluck!

1 like
Marco.sanabria's avatar

I'm facing the same problem, I worked around the problem and is a vulnerability related to SMTP, this means that is not related to Laravel, you can see if your port 25 is open and close it, also try to use a firewall to prevent some petitions to your server, and hack yourself you can look for SMTP crack on internet and check if your server has vulnerabilities

1 like
vunadigital's avatar

I am also facing the same problem. I'm looking for a solution. If I find it, I'll post it here.

Snapey's avatar

Its not an SMTP problem with Laravel.

Its a problem with bad installs and the prize is an open mail server, so if someone can break into your site, the best reward for them is to get your SMTP credentials and send out their junk through your mail server.

Snapey's avatar

@haratmalli Its a problem with poor installation or lack of server security.... Not a Laravel problem.

AccessTruck's avatar

@haratmalli

For me, it was because we had our environment (.env file) set to debug. Once we switched to production and changed the passwords then it was no longer a problem.

fylzero's avatar

@haratmalli Don't do this please (tagging everyone in a thread for a question that was already answered).

thaonguyenvan90's avatar

I'm using laravel 8.0 and was also hacked to take SMTP information and send SPAM. And I don't know how to handle this problem. Hope everybody help please.

thaonguyenvan90's avatar

@Snapey Thanks for the reminder, I read the topic but didn't see any specific instructions. Just saying it's due to installation, it's not clear what service was installed. I use Amazon Email and Sengrid both have the problem.

thaonguyenvan90's avatar

@Snapey Thanks, what is the specific installation method here? Can you share more? Does it lie in the libraries I use, or is it some other way. Please give me a specific share. Thank you very much

Snapey's avatar

@thaonguyenvan90 its about not publishing the whole project to the internet and having the env file non-accessible from the outside. Set the document root to be the public folder

Please or to participate in this conversation.