PHP :: Request #36341 :: Changes to combat mail form spam

Changes to combat mail form spam

Submitted:

2006-02-09 15:16 UTC

Modified:

2021-09-09 14:04 UTC

Votes:	15
Avg. Score:	4.9 ± 0.2
Reproduced:	13 of 13 (100.0%)
Same Version:	4 (30.8%)
Same OS:	4 (30.8%)

From:

paul at xciv dot org

Assigned:

cmb (profile)

Status:

Closed

Package:

Mail related

PHP Version:

4.4.2

OS:

FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	paul at xciv dot org
New email:
PHP Version:		OS:

New Comment:

[2006-02-09 15:16 UTC] paul at xciv dot org

Description:
------------
I have two suggestions for modifications to help combat the problem of mail form spam.

Firstly I would like to see mail.force_extra_parameters back-ported to the 4.x branch - not everyone is ready to upgrade to 5.x in production yet.

Secondly I would like to suggest that environment variables from the PHP environment are exposed to the sendmail binary.

I will explain why this is useful.


Reproduce code:
---------------
With the mail.force_extra_parameters option, I can set different parameters per Apache vhost.

This can be very useful because I can set custom parameters like: -xs my.vhost.domain

How is this useful?  Well if I then set a new sendmail_path to my own custom wrapper script I can pick up these custom parameters and do two things:

1. Log the originating vhost, number of recipients etc.

2. Add an X-Header: in the mail detailing which vhost the mail originated from - before passing it to the real sendmail.

This allows me to track which vhost sent mail from the httpd!  So I can now track which vhost may have an insecure mail form if I get spam reports.  With say 100 vhosts this is *invaluable*.

My second suggestion would make this a lot easier and a lot more expandable.  If the PHP environment variables were exposed to sendmail then I could even pick up such details as the script filename etc and this would then not require the use of custom mail.force_extra_parameters.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-02-11 18:33 UTC] karl at kdawebservices dot com

Both excellant ideas. I also believe there is a patch out in the wild for PHP that automatically adds a X header with the vhost domain - Perhaps this should be incorporated (with an ini option to turn it on/off) along with adding the path to the script as an X header as well.

[2006-03-04 21:33 UTC] tim at globalgold dot co dot uk

I agree Paul's suggestion should be implemented.

[2006-03-06 16:11 UTC] simon at advantage-interactive dot com

Excellent suggestions, would help tracking back spam

[2006-03-08 19:59 UTC] richard at indigo3 dot net

An interesting idea. Well worth the investment in time and effort.

[2015-12-08 12:49 UTC] david at ols dot es

You can actually add custom parameters to sendmail using per vhost php_admin_value sendmail_path , nevertheless having the REMOTE_ADDR user ip address will be very helpful as it could be checked against spamhaus/cbl , also having REQUEST_URI available could help tracking problems.

Request #37989 is a similar one.

[2016-12-30 23:34 UTC] cmb@php.net

-Package: Feature/Change Request +Package: Mail related

[2021-08-17 07:57 UTC] rtrtrtrtrt at dfdfdfdf dot dfd

https://github.com/PHPMailer/PHPMailer instead sendmail which won't work on a proper secured server anyways with a simple wrapper function would implement whatever you want within 2 minutes

which webserver allows calling a suid binary in 2021?

[2021-09-09 12:38 UTC] cmb@php.net

-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb

[2021-09-09 12:38 UTC] cmb@php.net

> Firstly I would like to see mail.force_extra_parameters
> back-ported to the 4.x branch - not everyone is ready to upgrade
> to 5.x in production yet.

This is no longer relevant.

> Request #37989 is a similar one.

Right, and that is about the second part of the request.

[2021-09-09 14:04 UTC] paul at xciv dot org

-Status: Duplicate +Status: Closed

[2021-09-09 14:04 UTC] paul at xciv dot org

This bug report is from 2006! and relating to PHP 4 and 5.

So now closed.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 22:01:28 2024 UTC