mail() function abused by using MIME content, any fix???

I have the problem in my server that usually mail() functions are exploited by spammers who abuse function parameters to send email to hundred of accounts at a time, this is done by injecting MIME content in the parameters

When this happens I usually notice when starting to receive abuse complaints or when the server gets slow, however this is done overnight sometimes by spammers, and these thing finally got my server blocked by yahoo and hotmail

This abuse can be stopped by cropping inputs to a certain amount of chars or validating the inputs by regular expressions, the problem is that this involves modifying the php scripts, and if I have 100 customers that use mail() function I have to inscruct them all to do this or do the changes myself!!

So I decided to disable mail() function which I think is not the best solution since tons of apps use it and is the most common choice to customers to send mail instead of phpMailer that I am using now.

This must be a common problem, so my question is if there is any modification that can be done to the php.ini file or mail.c source code to avoid this,

Kinda big post here, but any help is appreciated!!

You can use mod_security and mail injection rules, work for me.

SecFilterSelective ARGS_VALUES "\n[[:space:]]*(to|bcc|cc)[[:space:]]*:.*@"

lvalics, can you explain exactly what this does? It would be nice to know .

Thanks!

Jeff

Thanks! I will try this in my server and let you know...

You can modify the C source of the mail function, I can do this if you need.

I also found this that might help you: NOTE not my script and I haven't tested it, use at your own risk.



Source: http://www.titov.net/2005/12/01/php-forms-spam/

for the purposes of growing spam attacks through the forms of our hosting clients and because our server got onto spamlist today, I’ve written a simple Perl wrapper for sendmail, that php uses.

It’s very simple and it counts the number of @’s in the message header.

Here it is:

PHP:

#!/usr/bin/perl -w

$data = “”;

$copies = 0;

$in_header = 1;

while($line = ) {
$data .= $line;
$in_header = 0 if($line eq “\n”);

if($in_header) {
$line2 = $line;
$copies += $line2 =~ s/@//g;
}

}

print $copies;

if($data ne “”) {

if($copies >/tmp/php_blocked_emails”);
print FILE $data;
close(FILE);
}
}

If more than 5 @’s are found in the header it blocks the mail.

You need to change sendmail_path in php.ini to the path of this script

Click to expand...

Anyone using this script?

Well I've implemented the solution proposed by lvalics with great success, haven't tried the perl solution.

Jose Luis

Changing the php script would be the quick and dirty way, however that only fixes the one page and isn't a server wide solution