Hello everybody!
As a webhost that offer PHP-support for hundreds of customers, I have a
concern.
The mail()-function is too easy to use for sending spam and even worse -
there is (sometimes) almost impossible to trace the sender-account.
I've been looking into the source code and one very easy but yet powerful
solution to trace spam would be to force a reference into the header.
As each vhost has its own config, a PHP-setting "mail.reference" would be
enough.
This would be of great value for all webhosts out there and since we all
want to limit spam on internet, why not include this?
You can find some (not tested) sample code below.
I hope you understand what I mean.
This is my first post here and I'm not familar with the PHP source code.
// Kristoffer Hultenius
Original code:
fprintf(sendmail, "To: %s\n", to);
fprintf(sendmail, "Subject: %s\n", subject);
if (headers != NULL) {
fprintf(sendmail, "%s\n", headers);
}
fprintf(sendmail, "\n%s\n", message);
ret = pclose(sendmail);
New code:
char *reference = INI_STR("mail.reference");
fprintf(sendmail, "To: %s\n", to);
fprintf(sendmail, "Subject: %s\n", subject);
if (reference) {
fprintf(sendmail, "X-PHP-REFERENCE: %s\n", reference);
}
if (headers != NULL) {
fprintf(sendmail, "%s\n", headers);
}
fprintf(sendmail, "\n%s\n", message);
ret = pclose(sendmail);
Kristoffer Hultenius wrote:
Hello everybody!
As a webhost that offer PHP-support for hundreds of customers, I have a
concern.
Themail()-function is too easy to use for sending spam and even worse -
there is (sometimes) almost impossible to trace the sender-account.
You can solve this (mostly) in admin-space by setting the sendmail_path,
creatively, in php.ini.
For example, I can send mail with this:
sean@sarcasm:~$ php -d "sendmail_path=/home/sean/bin/mailwrap
uniquehosthere" -r 'mail("sean", "subject", "message body here");'
Here's /home/sean/bin/mailwrap:
(echo "X-host-tag: $1" ; cat -) | /usr/sbin/sendmail -t -i
And here's the resulting mail:
From sean@sarcasm Mon Feb 19 11:54:22 2007
X-Original-To: sean
X-host-tag: uniquehosthere
To: sean@sarcasm
Subject: subject
Date: Mon, 19 Feb 2007 11:54:22 -0500 (EST)
From: sean@sarcasm (Sean)
message body here
... I'm not shooting down your idea, but there is a way to solve this
right away. (Perhaps I'm missing something obvious, but I don't see an
obvious way to get around this tag in userspace.) The sendmail_path
value could be set with php_admin_value in your VirtualHost config.
S
As a webhost that offer PHP-support for hundreds of customers, I have a
concern.
Themail()-function is too easy to use for sending spam and even worse -
there is (sometimes) almost impossible to trace the sender-account.
There was a discussion about this in the past few months:
http://marc.theaimsgroup.com/?t=116604692000001&r=1&w=2
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409