apache sending mail with subject “2.2.2.2 not in hosts list”

aye coder <acoder1999@xxxxxxxxx> · Fri, 1 Jul 2016 19:24:52 -0400

I recently updated my server's IP address.  After restarting services,
apache began sending mail (from the apache@xxxxxxxxxxxxxxx) with the
subject "2.2.2.2 not in hosts list". There is no body to the email -
just that subject.

This message is sent once every minute from UID 48 (apache).

System Information:
---------------------------------
[acoder@box ~]# httpd -v
Server version: Apache/2.2.15 (Unix)
Server built:   May 11 2016 19:28:33

[acoder@box ~]# cat /etc/redhat-release
CentOS release 6.8 (Final)

[acoder@box ~]# hostname
box.example.com

[acoder@box ~]# ifconfig
inet addr:2.2.2.2

Example from /var/log/maillog
---------------------------------
Jun 26 08:25:02 box postfix/pickup[13188]: 165881C0232: uid=48 from=<apache>
Jun 26 08:25:02 box postfix/cleanup[18593]: 165881C0232:
message-id=<20160626122502.165881C0232@xxxxxxxxxxxxxxx>
Jun 26 08:25:02 box postfix/qmgr[9276]: 165881C0232:
from=<apache@xxxxxxxxxxxxxxx>, size=1404, nrcpt=1 (queue active)
Jun 26 08:25:02 box postfix/smtp[18777]: 165881C0232:
to=<acoder@xxxxxxxxxxxxxxx>, relay=smtp.example.com[2.2.8.8]:25,
delay=0.25, delays=0.11/0.04/0.02/0.07, dsn=2.0.0, status=sent (250
2.0.0 u5QCP2qp020979 Message accepted for delivery)
Jun 26 08:25:02 box postfix/qmgr[9276]: 165881C0232: removed

from /var/log/httpd/access_log
---------------------------------
2.2.2.2 - - [29/Jun/2016:20:11:01 -0400] "\x16\x03\x01\x01\x11\x01"
501 208 "-" "httpd/unix-directory" "-"
2.2.2.2 - - [29/Jun/2016:20:11:01 -0400] "\x16\x03\x01\x01\x11\x01"
501 208 "-" "httpd/unix-directory" "-"
2.2.2.2 - - [29/Jun/2016:20:12:01 -0400] "\x16\x03\x01\x01\x11\x01"
501 208 "-" "httpd/unix-directory" "-"
2.2.2.2 - - [29/Jun/2016:20:12:01 -0400] "\x16\x03\x01\x01\x11\x01"
501 208 "-" "httpd/unix-directory" "-"
2.2.2.2 - - [29/Jun/2016:20:12:01 -0400] "\x16\x03\x01\x01\x11\x01"
501 208 "-" "httpd/unix-directory" "-"

This server only handles requests over 443. There are no virtualhost
configurations for port 80.

Here's a trimmed down version of my /etc/httpd/conf.d/ssl.conf
---------------------------------

LoadModule ssl_module modules/mod_ssl.so
Listen 443
ServerSignature Off
ServerTokens Prod

# clipped SSL config

<VirtualHost 2.2.2.2:443>

        ServerName box.example.com
        ServerAdmin acoder@xxxxxxxxxxxxxxx
        DocumentRoot /var/www/html/

        TraceEnable off

        Header always append X-Frame-Options DENY
        Header set X-XSS-Protection: "1; mode=block"
        Header set X-Content-Type-Options: nosniff
        Header set X-WebKit-CSP: "default-src 'self'"
        Header set X-Permitted-Cross-Domain-Policies: "master-only"
        Header set Cache-Control "no-cache, no-store, must-revalidate"

        Header set Pragma "no-cache"
        Header set Expires 0

        # clipped SSL config

</VirtualHost>

On a whim I added the machine's IP to /etc/hosts:
------------------------------------------------------------------------------
[acoder@box ~]# vi /etc/hosts
# i
2.2.2.2 box.example.com
# :wq

Restarted the server and ran configtest to make sure:
------------------------------------------------------------------------------
[acoder@box ~]# service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]
[acoder@box ~]# apachectl configtest
Syntax OK

Apache httpd is serving pages as usual.

However, I continue to receive these unusual email notifications every
minute. As above, it is coming from the apache@ account.  If I change
my system's IP back to what it was before, the oddball emails stop.

I've tried rebooting the system to no avail.

I've also tried looking for the subject string on the local filesystem:
-----------------------------------------------------------------------------------------
grep -r "not in hosts list" /etc/
grep -r "not in hosts list" /usr/
grep -r "not in hosts list" /var/

Nothing found.

The only instance of IP 2.2.2.2 is found in
-----------------------------------------------
/etc/sysconfig/network-scripts/em1-cfg
/etc/httpd/conf.d/ssl.conf (copied above)
/etc/httpd/conf.d/vhosts.conf
/etc/hosts

Googling is coming up empty. What would cause the apache account to
send out these vague messages?

Thanks,
JA

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx