PHPFAQ - How do I stop spammers using header injection with my PHP Scripts? (Server Admin)

Now: Tutorial for Web and Software Design > PHP > QA > PHP Content

PHPFAQ - How do I stop spammers using header injection with my PHP Scripts? (Server Admin)

[Bookmark it]

Question :

How do I stop spammers using header injection with my PHP Scripts? (Server Admin)

Answer :If you are a server admin you may have hundreds of websites that you have no control over.

The method we came up with involves using exim to take the mail from web forms and check for any bad content in the message body. Its a very easy fix, first you need to make sure you have exim installed.

This is based on exim-4.31 + Exiscan patch.

You need to edit php.ini and set the sendmail option to :-
sendmail_path = "/usr/exim/bin/exim -t -i"

This will ensure that PHP uses exim to deliver the local mail.

Now edit the exim configure file (Ours is located /usr/exim/configure)

Look for the line trusted_users, if this is not found add it in :-
trusted_users = nobody

Assuming that your webserver runs as nobody, this may also be www. (the user is listed in httpd.conf) If its another user then edit the above line.

The trusted_users can be at the top of exim's configuration file.

Next search for acl_smtp_rcpt = acl_check_rcpt

Below this add
acl_not_smtp = acl_check_pipe

Now search for acl_check_rcpt:

Above this line place the following :-
acl_check_pipe:
drop condition = ${if match {$message_body}\
{\N.*\
MIME-Version:.*\N}{true}}
log_message = "Spam MIME-Version:$header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Type:.*\N}{true}}
# log_message = "Spam: Content-Type: $header_subject: "

# This will also block attachments
# drop condition = ${if match {$message_body}\
# {\N.*\
# Content-Transfer-Encoding:.*\N}{true}}
# log_message = "Spam: Content-Transfer-Encoding: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
bcc:.*\N}{true}}
log_message = "Spam: bcc: $header_subject: "

drop condition = ${if match {$message_body}\
{\N.*\
cc:.*\N}{true}}
log_message = "Spam: cc: $header_subject: "
accept

accept

--

Save and restart apache/exim. This should now protect your contact forms.

[Bookmark][Print] [Close][To Top]

Prev Article-PHP: PHPFAQ - error: conflicting types for `XML_FEATURE_UNICODE

Next Article-PHP: PHPFAQ - When I try to connect to mysql from php I get this error: Call to unsupported or undefined function mysql_connect();

Related Materias

PHPFAQ - How google is you
PHPFAQ - Are there any web
PHPFAQ - How can I accept
PHPFAQ - How can I finance
PHPFAQ - Where can I get P
PHPFAQ - Where can I host
PHPFAQ - Where can I find
PHPFAQ - I am trying to cr
PHPFAQ - Is there a librar
PHPFAQ - How can I manage

Topics

Photoshop Tutorial

	Special Effect
	3D Effect
	Photoshop Articles

Programming Tutorial

	C/C++ Tutorial
	Visual Basic
	C# Tutorial

Database Tutorial

	MySQL Tutorial
	MS SQL Tutorial
	Oracle Tutorial

Graphic Design Tutorial

	Coreldraw Tutorial
	Illustrator Tutorial
	3D Graphics Articles

Webmaster Articles

	Domain Service
	Web Hosting
	Site Promotion

Java Tutorial&Articles

	Java Servlets
	JavaEE Tutorial
	JavaBeans Tutorial

XML Tutorial&Articles

	XML Style Tutorial
	AJAX Tutorial
	XML Mobile

Flash Tutorial&Articles

	Flash Video
	Action Script
	Flash Articles

OS Tutorial&Articles

	Linux Tutorial
	Symbian Tutorial
	MacOS Tutorial