On 03/03/2013 04:58 PM, zGreenfelder wrote: > On Sun, Mar 3, 2013 at 4:37 PM, John R Pierce <pierce at hogranch.com> wrote: >> On 3/3/2013 1:30 PM, Robert Moskowitz wrote: >>> Seems I recall that last when I set up my apache server, the spammers >>> were posting to it so it would send out the spam on port 25. There was >>> some conf that I did to block this, but I did not document it, and I >>> can't find any reference to this. >> >> a webserver can't send email unless you've got email cgi or forms on/in >> your webpages >> >> > I have vague (and very distant ~98ish?) memories of apache deployments > coming with a mail.cgi that was poorly secured and often exploited to > send out emails, but I think that's long since gone the way of the > dodo birds. you have to go to some lengths to make webservers > interact with email servers. if you're really worried about it, you > should also look into removing/blocking proxy connections: > > http://ihazem.wordpress.com/2010/12/08/apache-forward-proxy-relay-security-problem/ That may have been the attack vector way back when. Now the proxy directives come commented out, so supposedly you are suppose to know the risks of running a proxy.