Email FreeBSD Security Tips and Tricks

Identifying malicious mail scripts on FreeBSD

This article will help you identify an possible spam scripts that may be causing unwanted outbound mail which could cause your servers ip address to be blacklisted.There are many different ways a script may get onto the server however we I will provide several different tools and methods to help identify scripts.

 

PHP scripts are common place to be used as a spam source especially in an FAMP/LAMP (FreeBSD/Linux, Apache, MySQL, PHP) environment stack.

 

To begin we will enable php x script in php.ini:

In this example our php.ini is located in /usr/local/lib

  • echo “mail.add_x_header = On” >> /usr/local/lib/php.ini

This will output the following on your email headers:

  • X-PHP-Script: 45.php

 

Using this information we can run a find for this script and save it to a file to review it after the search has completed:
  •  find / -iname “45.php” > scripts.txt

 

Locate scripts that are currently open using the lsof command:
  • lsof -i | grep smtp
Here is example output:
  • httpd     33213       [user-www]   13u  IPv4 0xffffff02cd939888      0t0  TCP example.com:60197->x.x.x.x:smtp (ESTABLISHED)

The output above shows the a currently a current smtp connection established due to an httpd process, which indicated this was some web form or script. This output help me identify which user the script originated from.

 

To view php x-scripts in your mail queue.

Postfix:

Check your mail queue on postfix:
  • postqueue -p
    • output: 5893811A2A5     3729 Mon Mar 30 21:12:08  MAILER-DAEMON
Check check the email in your queue:
  • postcat -q [email id]
  • example: postcat -q 5893811A2A5

Qmail:

Go to your qmail mess directory:
  •  cd /var/qmail/queue/mess
Search for X-PHP-Scripts:
  • find ./ -type f | xargs grep “X-PHP-Script” | awk ‘{print $2}’ | sort | uniq -c | sort -rn

 

In conclusion, these are just a few commands and tools that I use on a daily basis to start to identify possible email spam related issues and I hope these will come in handy for your diagnoses of your server.

Related Articles

  • How do I set up and auto responder / vacation message?

      1. After entering Email Administration area, click ‘Mail Robot’ to set up and auto responder / vacation message 2. Enter name, subject and email address to send a copy...
  • How to get rid of ^M characters.

    When you edit a file in Windows and then open in UNIX, you must have seen ^M characters getting appended in the content. How to get rid of it ?...
  • How do I add an SPF record?

    Spam.  No one likes it. No one wants it. No one needs it. However, it is there and is likely to be there for the foreseeable future. All we can...
  • Get CPU Information

    You can use the dmesg utility to display the contents of the system message buffer when FreeBSD comes up. For accuracy I recommend querying /var/run/dmesg.boot file. Usually a snapshot of...