Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

Find php scripts that use mail() function to spam in your Linux server

Find php scripts that use mail() function to spam in your Linux server

Every shared web hosting provider runs into this issue at least monthly when a customer experiments with or leaves unattended a php script that is either designed for testing purpopses or designed to serve the contact / feedback page of his website and accepts HTTP GET or POST data as input data for mail function in PHP.
The worst case is when the TO field (destination) of the mail() function is used from user input.

Hardening LAMP server security to help span prevention.

- Hardcode the recipient and other headers like subject and "additional_headers" (4th argument of mail() see PHP function mail manual) whenever possible into the script as in the example provided here.
- If the recipient(s) need to be input by the script visitor, make sure a captcha system "assists" the user or at least a smart token system (hidden html field equal to HTTP POST token sent by the user).
- Make sure your php.ini configuration enables the "X-PHP-Originating-Script" mime header to have the php script name for easy troubleshooting.
- Make sure your php.ini configuration enables logging of every use of the mail() function.
- Make sure you have a cron script that regularly searches php files containing the "mail" keyword and monitor what scripts appear periodically.

Php script using the mail() function - example:
The space between "mail" and the bracket is intentional.

Finding php files using mail function:

Below Linux "find" command is just an example of doing relatively accurate search on specific directory ( usually the directory holding web server php scripts), for files with space in their name, ending in ".php" case insensitive and containing the word "mail" (excluding email or _mail) followed by one or multiple spaces and by a bracket opening ["mail(" or "mail ("].


Before going to php.ini configurations that will help in troubleshooting spam sent from your server, it's best to first go over the PHP runtime configuration page.

Adding mail sending script information in mime header:

Open your server's php.ini configuration file and find the line for "add_x_header" and change it as below:

Enable php to log information about each email sent via a php script:

Again, in your php.ini file add/change the following line as below:

Next, restart the phpdaemon (or try a kill -HUP <PID>), let's look at the outcome:

Mails sent from the mail-script.php script have the following line in their header:

As the manual states, the php log file contains absolute path to the script, recipient and headers (non in my script's case).