Email FreeBSD Security Tips and Tricks

Identifying malicious mail scripts on FreeBSD

This article will help you identify an possible spam scripts that may be causing unwanted outbound mail which could cause your servers ip address to be blacklisted.There are many different ways a script may get onto the server however we I will provide several different tools and methods to help identify scripts.

 

PHP scripts are common place to be used as a spam source especially in an FAMP/LAMP (FreeBSD/Linux, Apache, MySQL, PHP) environment stack.

 

To begin we will enable php x script in php.ini:

In this example our php.ini is located in /usr/local/lib

  • echo “mail.add_x_header = On” >> /usr/local/lib/php.ini

This will output the following on your email headers:

  • X-PHP-Script: 45.php

 

Using this information we can run a find for this script and save it to a file to review it after the search has completed:
  •  find / -iname “45.php” > scripts.txt

 

Locate scripts that are currently open using the lsof command:
  • lsof -i | grep smtp
Here is example output:
  • httpd     33213       [user-www]   13u  IPv4 0xffffff02cd939888      0t0  TCP example.com:60197->x.x.x.x:smtp (ESTABLISHED)

The output above shows the a currently a current smtp connection established due to an httpd process, which indicated this was some web form or script. This output help me identify which user the script originated from.

 

To view php x-scripts in your mail queue.

Postfix:

Check your mail queue on postfix:
  • postqueue -p
    • output: 5893811A2A5     3729 Mon Mar 30 21:12:08  MAILER-DAEMON
Check check the email in your queue:
  • postcat -q [email id]
  • example: postcat -q 5893811A2A5

Qmail:

Go to your qmail mess directory:
  •  cd /var/qmail/queue/mess
Search for X-PHP-Scripts:
  • find ./ -type f | xargs grep “X-PHP-Script” | awk ‘{print $2}’ | sort | uniq -c | sort -rn

 

In conclusion, these are just a few commands and tools that I use on a daily basis to start to identify possible email spam related issues and I hope these will come in handy for your diagnoses of your server.

Related Articles

  • Extract Tar Files to a Different Directory

    Syntax Typical Unix tar syntax: tar -xf file.name.tar -C /path/to/directory GNU/tar syntax: tar xf file.tar -C /path/to/directory tar xf file.tar --directory /path/to/directory Example: Extract files to another directory In this...
  • How do I set up and auto responder / vacation message?

      1. After entering Email Administration area, click ‘Mail Robot’ to set up and auto responder / vacation message 2. Enter name, subject and email address to send a copy...
  • Checking Hacked Server

    Categories of server:   1.1 Webair managed client server: Webair will perform a variety of custom configuration, maintenance, and optimization your server for maximum performance and reliability. A list of...
  • What is an alias?

        Alias   An alias is used to forward email to another local mail account. You need to create that mailbox before you create the alias. To create an...