Tag Archives: mail

Postfix – blacklist domain

Few notes about how to block a specific domain to send out emails


Compromised Email troubleshooting notes

Here some notes about how to troubleshoot a server that got compromised by a php script.

Check email queue

  • Qmail -> qmHandle
  • Postfix -> pmHandle / postqueue

Get some email IDs

Check for X-PHP header in the mail message
Look for the UID and script that sent the message

Find the script and UID

=> permissions issue??

Move away the file(s) and chown 000
!! if the file starts with – , you need to user chown — 000 filename

Disable execution php following this how to

Delete all the messages containing that header

Extra notes:

Check the queue:

See the content of a message:

Check for “X-PHP-Originating-Script” header, which generally gives you the name of the script that generate the email

If they are sent to a specific domain, you can block some domains in Postfix following this guide