php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #36341 Changes to combat mail form spam
Submitted: 2006-02-09 15:16 UTC Modified: 2021-09-09 14:04 UTC
Votes:15
Avg. Score:4.9 ± 0.2
Reproduced:13 of 13 (100.0%)
Same Version:4 (30.8%)
Same OS:4 (30.8%)
From: paul at xciv dot org Assigned: cmb (profile)
Status: Closed Package: Mail related
PHP Version: 4.4.2 OS: FreeBSD
Private report: No CVE-ID: None
 [2006-02-09 15:16 UTC] paul at xciv dot org
Description:
------------
I have two suggestions for modifications to help combat the problem of mail form spam.

Firstly I would like to see mail.force_extra_parameters back-ported to the 4.x branch - not everyone is ready to upgrade to 5.x in production yet.

Secondly I would like to suggest that environment variables from the PHP environment are exposed to the sendmail binary.

I will explain why this is useful.


Reproduce code:
---------------
With the mail.force_extra_parameters option, I can set different parameters per Apache vhost.

This can be very useful because I can set custom parameters like: -xs my.vhost.domain

How is this useful?  Well if I then set a new sendmail_path to my own custom wrapper script I can pick up these custom parameters and do two things:

1. Log the originating vhost, number of recipients etc.

2. Add an X-Header: in the mail detailing which vhost the mail originated from - before passing it to the real sendmail.

This allows me to track which vhost sent mail from the httpd!  So I can now track which vhost may have an insecure mail form if I get spam reports.  With say 100 vhosts this is *invaluable*.

My second suggestion would make this a lot easier and a lot more expandable.  If the PHP environment variables were exposed to sendmail then I could even pick up such details as the script filename etc and this would then not require the use of custom mail.force_extra_parameters.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-11 18:33 UTC] karl at kdawebservices dot com
Both excellant ideas. I also believe there is a patch out in the wild for PHP that automatically adds a X header with the vhost domain - Perhaps this should be incorporated (with an ini option to turn it on/off) along with adding the path to the script as an X header as well.
 [2006-03-04 21:33 UTC] tim at globalgold dot co dot uk
I agree Paul's suggestion should be implemented.
 [2006-03-06 16:11 UTC] simon at advantage-interactive dot com
Excellent suggestions, would help tracking back spam
 [2006-03-08 19:59 UTC] richard at indigo3 dot net
An interesting idea. Well worth the investment in time and effort.
 [2015-12-08 12:49 UTC] david at ols dot es
You can actually add custom parameters to sendmail using per vhost php_admin_value sendmail_path , nevertheless having the REMOTE_ADDR user ip address will be very helpful as it could be checked against spamhaus/cbl , also having REQUEST_URI available could help tracking problems.

Request #37989 is a similar one.
 [2016-12-30 23:34 UTC] cmb@php.net
-Package: Feature/Change Request +Package: Mail related
 [2021-08-17 07:57 UTC] rtrtrtrtrt at dfdfdfdf dot dfd
https://github.com/PHPMailer/PHPMailer instead sendmail which won't work on a proper secured server anyways with a simple wrapper function would implement whatever you want within 2 minutes

which webserver allows calling a suid binary in 2021?
 [2021-09-09 12:38 UTC] cmb@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-09-09 12:38 UTC] cmb@php.net
> Firstly I would like to see mail.force_extra_parameters
> back-ported to the 4.x branch - not everyone is ready to upgrade
> to 5.x in production yet.

This is no longer relevant.

> Request #37989 is a similar one.

Right, and that is about the second part of the request.
 [2021-09-09 14:04 UTC] paul at xciv dot org
-Status: Duplicate +Status: Closed
 [2021-09-09 14:04 UTC] paul at xciv dot org
This bug report is from 2006! and relating to PHP 4 and 5.

So now closed.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Jul 01 06:05:45 2022 UTC