I would suggest to stop httpd normally when I saw something like that in one of my old server that i now displaced and replaced with CentOS 7 the user found that loop to send. I would enable debug on all outgoing which is how I found that hole.
It sucks I know. For google that’s something more work for reputation. Ciao > Il giorno 16 ago 2020, alle ore 09:05, Chas Hockenbarger <[email protected]> > ha scritto: > > > I'm hoping someone has encountered this weird behavior or something like it > before and can point me down a path, because all my research has turned up > nothing so far. > > I had an email account recently get breached due to a re-used password, and > that account was used to send a bunch of spam out from a server I help > manage. We changed the password on the account as soon as we found it > happening and the outbound flood stopped. > > Shortly after that, however, I started seeing a very, very strange behavior. > Sometimes, and I haven’t yet been able to identify the trigger or pattern, > when users on this server send email to a forward that contains around 50 or > so email addresses (they use it like a private distribution list) they will > get anywhere from 1-10 bounces from Gmail. Not every email sent to the > forward has this happen, and not even every email from a particular user. > > The outbound spamming caused the server’s reputation to go in the tank with > Google, and if it weren’t for that, I wouldn’t know this was happening, > because they get the bounces from Gmail accounts that absolutely ARE NOT in > the forward or part of the email chain AT ALL. > > I’m kind of freaking out here because while I haven’t found a breach of the > actual server / OS, this feels like someone has been able to inject something > somewhere into my server that I simply can’t find. It is especially > troubling because a user who is not on this domain, but is part of the group > and therefore uses the forward from time to time, sent something to the > forward today and got Gmail bounces. > > I don’t see anything in the send log that shows the server even trying to > send to Gmail, which only adds to the ghost story. > > Any ideas, paths to go down, anything would be greatly appreciated here. I’m > about to just rebuild the whole thing from scratch on a new VM, but if I’m > overlooking something simple don’t want to put the users through that. > > Thanks in advance. > > Chas
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
