On 7/7/2014 2:47 PM, Ben Johnson wrote: > Thanks, Leonardo and Noel! I really appreciate the prompt replies. > > Leonardo, I see no indication that whomever is sending this mail has > authenticated. And given that local connections are permitted to send > mail without authenticating on this server, I will pursue Noel's > suggested course of action next. > > I'll let you know if I can't find the source... > > Thanks again, > > -Ben
You were right! It was a compromised Joomla site. I was able to spot it almost immediately due to excessive CPU usage. What's disconcerting is that the Joomla site is completely up-to-date, including all extensions, so the vulnerability is either zero-day or with another stack component. But that's here nor there. Thanks again, both of you! -Ben
