cPanel Admin please read! - httpd.conf modification to prevent spam from php mail()

[hostultra]

Often you will see spam or abuse of the php mail function which is very hard to trace due to the mail being sent by 'nobody'.
I know you can disable nobody from sending mail, but that prevents php mail from working altogether.
With this simple modification of the httpd.conf you can see who sent the mails:

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -r USERNAME"

You need to put that in each users virtualhost, and change USERNAME to the actual username.
This causes the return address to become [email protected] which can be used to track who sent the mail.
Hopefully cpanel can consider this for the next release, or make it an option like open_basedir

 

[elleryjh]

that's a good idea, but not necessary when using phpsuexec

 

[internethosting]

I love this!.. Can Cpanel put together a little script we can run to have this added to the httpd.conf automatically.???

 

[jamesbond]

Originally posted by hostultra
Hopefully cpanel can consider this for the next release, or make it an option like open_basedir

I hope they will, I don't think it will be much work as it is basically the same logic as the open_basedir feature.

 

[hostultra]

One thing i forgot to mention:

For this to work at all you need to goto Exim Configuration Editor advanced mode and in the first large edit box put in this line

trusted_users = nobody

All trusted users does is allow the nobody user to use the -r option to set the sender on the command line. This MAY cause future annoyances if you allow the php exec and system functions.

 

[richy]

Entered into bugzilla as bug 310 (enhancement) http://bugzilla.cpanel.net/show_bug.cgi?id=310 . Please feel free to "vote" on it.

 

[MichaelShanks]

I see this issue has not been addressed, I am of the opinion that this should at least have a cpanel developer look into it, it is a relatively simple modifcation that can be made to the /scripts/initsuexec script,

 

[Website Rob]

Originally posted by richy
Entered into bugzilla as bug 310 (enhancement) http://bugzilla.cpanel.net/show_bug.cgi?id=310 . Please feel free to "vote" on it.

My vote made it 10 now in total. Wonder how many votes it takes to get something included?

 

[richy]

13 votes now, but at 2004-04-29 14:56:45 Nick@Cpanel did assign it to depend on bug #128 ("cPanel 9.4 TODO"), so hopefully it'll be coming shortly...

 

[cPanelNick]

This will not be done because it opens up a security hole to make it happen. Please read the bugzilla bug report for more information.

 

[AP]

I'm marking this as invalid because it in effect IS A SECURITY HOLE!

hee hee:D

 

[hostultra]

Here is a better way which does not make a security hole:

Upload the following as /usr/sbin/phpsendmail and chmod 755

#!/usr/bin/perl

$/ = null;
$input = <STDIN>;

open (MAIL, "|/usr/sbin/sendmail -t -i");
print MAIL qq~X-PHP-SENDER: $ARGV[0]
$input~;
close(MAIL);

Edit /scripts/phpopenbasectl
Change line 71 to:

print HC "<IfModule mod_php4.c>\nphp_admin_value open_basedir \"${homedir}/:/usr/lib/php:/usr/local/lib/php:/tmp\"\nphp_admin_value sendmail_path \"/usr/sbin/phpsendmail $owner\"\n</IfModule>\n";

chattr +i /scripts/phpopenbasectl
Goto WHM and rebuild the php open basedir

 

[Sheldon]

someone add this to the cpanel bugzilla!

 

[gorilla]

This is what GrandMaster J. Nick Koston had to say to this Idea

Comment #2 From J. Nick Koston 2004-05-17 01:04 -------
in theory this is a good thing, but it always allows anyone to forge anything to
any other user. Since you have to trust nobody. In effect you are letting
anyone masq as an other user on the server. This is actually more dangerous.

For instance, the user sam could spam with their own script and just call
sendmail with -r fred. Since php runs as nobody and you are trusting nobody you
have just let the guility place the blame on the innocent.

I'm marking this as invalid because it in effect IS A SECURITY HOLE!
Comment #2 From J. Nick Koston 2004-05-17 01:04 -------

 

[Sheldon]

yes but if you read the above post, youd realise he made a new version one that doesnt have that hole :P