@Gargron Often are outgoing mails from the attacked server unhiding the original ip adress of the server in the header of the mail. e.G. password reset mails or welcome mails and so on. so configuring your mailserver not to unhide the server ip is helpful, too.