Email FreeBSD Security Tips and Tricks

Identifying malicious mail scripts on FreeBSD

This article will help you identify an possible spam scripts that may be causing unwanted outbound mail which could cause your servers ip address to be blacklisted.There are many different ways a script may get onto the server however we I will provide several different tools and methods to help identify scripts.

 

PHP scripts are common place to be used as a spam source especially in an FAMP/LAMP (FreeBSD/Linux, Apache, MySQL, PHP) environment stack.

 

To begin we will enable php x script in php.ini:

In this example our php.ini is located in /usr/local/lib

  • echo “mail.add_x_header = On” >> /usr/local/lib/php.ini

This will output the following on your email headers:

  • X-PHP-Script: 45.php

 

Using this information we can run a find for this script and save it to a file to review it after the search has completed:
  •  find / -iname “45.php” > scripts.txt

 

Locate scripts that are currently open using the lsof command:
  • lsof -i | grep smtp
Here is example output:
  • httpd     33213       [user-www]   13u  IPv4 0xffffff02cd939888      0t0  TCP example.com:60197->x.x.x.x:smtp (ESTABLISHED)

The output above shows the a currently a current smtp connection established due to an httpd process, which indicated this was some web form or script. This output help me identify which user the script originated from.

 

To view php x-scripts in your mail queue.

Postfix:

Check your mail queue on postfix:
  • postqueue -p
    • output: 5893811A2A5     3729 Mon Mar 30 21:12:08  MAILER-DAEMON
Check check the email in your queue:
  • postcat -q [email id]
  • example: postcat -q 5893811A2A5

Qmail:

Go to your qmail mess directory:
  •  cd /var/qmail/queue/mess
Search for X-PHP-Scripts:
  • find ./ -type f | xargs grep “X-PHP-Script” | awk ‘{print $2}’ | sort | uniq -c | sort -rn

 

In conclusion, these are just a few commands and tools that I use on a daily basis to start to identify possible email spam related issues and I hope these will come in handy for your diagnoses of your server.

Related Articles

  • A Basic Overview of the Vim Text Editor

    Many articles in our Webair Community advise editing configuration files. We usually recommend using your preferred text editor. I personally prefer vim. Vim, or its older sibling vi, are installed...
  • SSL Certificate Installation for Courier IMAP and POP

    This guide will provide you information on how to setup and configure SSL certificates for the courier IMAP mail server.   Prior to the installation you will need to purchase...
  • Reset Protomail password?

    Only the Account Administrator will be able to update Protomail password, If you are a mail administrator you will always be able to login to your Protomail Settings page via “Webmail” link on...
  • Prevent hot linking of images.

    Hot linking is displaying an image on a website by linking to the same image on another website, rather than saving a copy of it on the website on which...