FAQ | Links | Join Our Mailing List | PHP MySQL Hosting

Question : How do I stop spammers using header injection with my PHP Scripts? (Server Admin) Answer : *UPDATE* System administrators I would recomend visting choon.net php-mail-header Patch. Using this patch will add additional headers into all sent mail, using the php mail command. This will enable you to track spam reports much faster. Its also advisable to look at installing Suhosin Hardended PHP Patch, this patch adds far greater security to a PHP build. The mail options should slow down spammers and hackers efforts. -- If you are a server admin you may have hundreds of websites that you have no control over. The method we came up with involves using exim to take the mail from web forms and check for any bad content in the message body. Its a very easy fix, first you need to make sure you have exim installed. This is based on exim-4.31 + Exiscan patch. You need to edit php.ini and set the sendmail option to :- sendmail_path = "/usr/exim/bin/exim -t -i" This will ensure that PHP uses exim to deliver the local mail. Now edit the exim configure file (Ours is located /usr/exim/configure) Look for the line trusted_users, if this is not found add it in :- trusted_users = nobody Assuming that your webserver runs as nobody, this may also be www. (the user is listed in httpd.conf) If its another user then edit the above line. The trusted_users can be at the top of exim's configuration file. Next search for acl_smtp_rcpt = acl_check_rcpt Below this add acl_not_smtp = acl_check_pipe Now search for acl_check_rcpt: Above this line place the following :- acl_check_pipe: drop condition = ${if match {$message_body}\ {\N.*\ MIME-Version:.*\N}{true}} log_message = "Spam MIME-Version:$header_subject: " # This will also block attachments # drop condition = ${if match {$message_body}\ # {\N.*\ # Content-Type:.*\N}{true}} # log_message = "Spam: Content-Type: $header_subject: " # This will also block attachments # drop condition = ${if match {$message_body}\ # {\N.*\ # Content-Transfer-Encoding:.*\N}{true}} # log_message = "Spam: Content-Transfer-Encoding: $header_subject: " drop condition = ${if match {$message_body}\ {\N.*\ bcc:.*\N}{true}} log_message = "Spam: bcc: $header_subject: " drop condition = ${if match {$message_body}\ {\N.*\ cc:.*\N}{true}} log_message = "Spam: cc: $header_subject: " accept accept -- Save and restart apache/exim. This should now protect your contact forms.

Categories Return to Main PHP Faq

Free Forum
Design & Layout Copyright © 2000- 2006 PHP MySQL Web Hosting	Comments to Webmaster
Hosted by PHP 4 Hosting - PHP and MySQL Webhosting and Domain Names