Hi All,
I'm working for an hosting company, we have a lot of PHP users and see regularly that one of the
scripts from our users is hacked. Result?, a lot of spam on the net, and a lot of work the find the
spamming scripts on the servers.
If you have a PHP script that sends mail, the recipient of the mail message will only see which
server it was sent from. There will normally be no record of who originated the message, or which
script on the server actually caused it to be sent. This can make it difficult to trace misuse, even
if you have comprehensive mail and webserver logs.
I think it should be usefull to add the "PHP mail() header patch" from Steve Bennett in safemode by
default.
The header could be in the form:
X-PHP-Script: <servername><php-self> for <remote-addr>
For example:
X-PHP-Script: www.example.com/~user/testapp/send-mail.php for 10.0.0.1
The patch can be found at:
http://www.lancs.ac.uk/~steveb/patches/php-mail-header-patch/
Best Regards,
Paul van Brouwershaven
Hey,
Paul van Brouwershaven wrote:
I think it should be usefull to add the "PHP
mail()header patch" from
Steve Bennett in safemode by default.
I wonder how this would go along with:
http://www.php.net/~derick/meeting-notes.html#safe-mode
I don't know if this still applies, it's from 2005 ...
- Markus
Hi Paul,
Am Montag, den 18.02.2008, 12:06 +0100 schrieb Paul van Brouwershaven:
[...]
I think it should be usefull to add the "PHP
mail()header patch" from
Steve Bennett in safemode by default.
As safemode is going to be (finally!) removed in PHP 6, I would propose
not to make this dependent on safe-mode. I would rather allow this
feature to be enabled separetely in the php.ini. Something like
mail.extra_log_header (not the perfect name, I know) would work.
[...]
cu, Lars
Hi Lars & Markus,
Lars Strojny wrote:
As safemode is going to be (finally!) removed in PHP 6, I would propose
not to make this dependent on safe-mode. I would rather allow this
feature to be enabled separetely in the php.ini. Something like
mail.extra_log_header (not the perfect name, I know) would work.
[...]
Enabling it from the php.ini would also be a good option, the main point is to get some help with
tracking the spam source in a shared hosted environment.
2008/2/18, Paul van Brouwershaven paul@vanbrouwershaven.com:
Enabling it from the php.ini would also be a good option, the main point is to get some help with
tracking the spam source in a shared hosted environment.
IIRC Ilia had a better patch for this, I dont know why it hasnt been
merged into PHP core.
Hi Lars & Markus,
Lars Strojny wrote:
As safemode is going to be (finally!) removed in PHP 6, I would
propose
not to make this dependent on safe-mode. I would rather allow this
feature to be enabled separetely in the php.ini. Something like
mail.extra_log_header (not the perfect name, I know) would work.
[...]Enabling it from the php.ini would also be a good option, the main
point is to get some help with tracking the spam source in a shared
hosted environment.
Are you aware of the following:
http://ilia.ws/archives/149-mail-logging-for-PHP.html
regards,
Lukas
Lukas Kahwe Smith wrote:
Are you aware of the following:
http://ilia.ws/archives/149-mail-logging-for-PHP.html
The idea is the same, but why is this not in the core?