Email FreeBSD Security Tips and Tricks

Identifying malicious mail scripts on FreeBSD

This article will help you identify an possible spam scripts that may be causing unwanted outbound mail which could cause your servers ip address to be blacklisted.There are many different ways a script may get onto the server however we I will provide several different tools and methods to help identify scripts.

 

PHP scripts are common place to be used as a spam source especially in an FAMP/LAMP (FreeBSD/Linux, Apache, MySQL, PHP) environment stack.

 

To begin we will enable php x script in php.ini:

In this example our php.ini is located in /usr/local/lib

  • echo “mail.add_x_header = On” >> /usr/local/lib/php.ini

This will output the following on your email headers:

  • X-PHP-Script: 45.php

 

Using this information we can run a find for this script and save it to a file to review it after the search has completed:
  •  find / -iname “45.php” > scripts.txt

 

Locate scripts that are currently open using the lsof command:
  • lsof -i | grep smtp
Here is example output:
  • httpd     33213       [user-www]   13u  IPv4 0xffffff02cd939888      0t0  TCP example.com:60197->x.x.x.x:smtp (ESTABLISHED)

The output above shows the a currently a current smtp connection established due to an httpd process, which indicated this was some web form or script. This output help me identify which user the script originated from.

 

To view php x-scripts in your mail queue.

Postfix:

Check your mail queue on postfix:
  • postqueue -p
    • output: 5893811A2A5     3729 Mon Mar 30 21:12:08  MAILER-DAEMON
Check check the email in your queue:
  • postcat -q [email id]
  • example: postcat -q 5893811A2A5

Qmail:

Go to your qmail mess directory:
  •  cd /var/qmail/queue/mess
Search for X-PHP-Scripts:
  • find ./ -type f | xargs grep “X-PHP-Script” | awk ‘{print $2}’ | sort | uniq -c | sort -rn

 

In conclusion, these are just a few commands and tools that I use on a daily basis to start to identify possible email spam related issues and I hope these will come in handy for your diagnoses of your server.

Related Articles

  • SSH: Whitelist IPs for Your Server

    If you wish to whitelist certain IP’s for your server for any reason, you can easily go into your Webair Ezpanel for this. When whitelisting an IP, please provide the specific...
  • Redis install steps on FreeBSD

      Install redis FreeBSD port collection: $ cd /usr/ports/databases/redis/ && make install clean # or with portmaster $ portmaster databases/redis   ===>  CONFIGURATION NOTE:   To setup “redis” you need...
  • Identify the process that is using some specific port

    Sometimes, you may encounter a situation where you see some ports being used by some service, but you cannot exactly determine which application/service is using it. This article talks about how...
  • What is ProtoMail?

      Protomail   Protomail is a Professional, Reliable Email Hosting solution from Webair. ProtoMail’s business email solution is ideal for busy professionals, letting you create email addresses for your own...