Email FreeBSD Security Tips and Tricks

Identifying malicious mail scripts on FreeBSD

This article will help you identify an possible spam scripts that may be causing unwanted outbound mail which could cause your servers ip address to be blacklisted.There are many different ways a script may get onto the server however we I will provide several different tools and methods to help identify scripts.

 

PHP scripts are common place to be used as a spam source especially in an FAMP/LAMP (FreeBSD/Linux, Apache, MySQL, PHP) environment stack.

 

To begin we will enable php x script in php.ini:

In this example our php.ini is located in /usr/local/lib

  • echo “mail.add_x_header = On” >> /usr/local/lib/php.ini

This will output the following on your email headers:

  • X-PHP-Script: 45.php

 

Using this information we can run a find for this script and save it to a file to review it after the search has completed:
  •  find / -iname “45.php” > scripts.txt

 

Locate scripts that are currently open using the lsof command:
  • lsof -i | grep smtp
Here is example output:
  • httpd     33213       [user-www]   13u  IPv4 0xffffff02cd939888      0t0  TCP example.com:60197->x.x.x.x:smtp (ESTABLISHED)

The output above shows the a currently a current smtp connection established due to an httpd process, which indicated this was some web form or script. This output help me identify which user the script originated from.

 

To view php x-scripts in your mail queue.

Postfix:

Check your mail queue on postfix:
  • postqueue -p
    • output: 5893811A2A5     3729 Mon Mar 30 21:12:08  MAILER-DAEMON
Check check the email in your queue:
  • postcat -q [email id]
  • example: postcat -q 5893811A2A5

Qmail:

Go to your qmail mess directory:
  •  cd /var/qmail/queue/mess
Search for X-PHP-Scripts:
  • find ./ -type f | xargs grep “X-PHP-Script” | awk ‘{print $2}’ | sort | uniq -c | sort -rn

 

In conclusion, these are just a few commands and tools that I use on a daily basis to start to identify possible email spam related issues and I hope these will come in handy for your diagnoses of your server.

Related Articles

  • How do I Delete an email address?

      *Note: You must be in Email Administration Area. Entering in your Username and Password are required.* 1. After entering Email Administration area, enter username in the box at the...
  • Checking Hacked Server

    Categories of server:   1.1 Webair managed client server: Webair will perform a variety of custom configuration, maintenance, and optimization your server for maximum performance and reliability. A list of...
  • How to Manage a Linux Server with systemd

    What Operating Systems Have Adopted systemd? CentOS: Yes, by default since CentOS 7 Fedora: Yes, since the release of Fedora 15 RedHat: Yes Debian: Yes, shipped since Debian 7 as...
  • Scanning for rootkits and possible exploits – RKHunter

    Rootkits are malicious softwares that are installed by intruders to gain access to your server once the security of the server has been breached.  Intruders can leave some malicious softwares...