Unsure who is sending spam? Try this

Anyone who has hosted peoples websites before, has had  either a blog hacked, or some guy thinking he is going to send mass mailouts using PHP or similar happen.

Its extremely hard to trackdown and deal with, and yet it can get your server listed at spam service denying legitimate email from getting through. This was my answer to the problem, and its helped me track down several insecure contact forms or trouble users.

  1. Put the code below into a somewhere like /usr/local/securemail/mail.pl|php|sh
  2. Adjust the sendmail_path to be this script (ie php_admin_value sendmail_path "/usr/local/securemail/mail.pl " )
  3. Edit the script to point to the mailer you use ( the line that says my $mailprog = '/usr/sbin/exim -t '; )
  4. Add a logrotate entry for /var/log/formmail.log or similar

Bash version

#!/bin/sh
 
/usr/bin/logger -p mail.info sendmail-php: site=${HTTP_HOST}, client=${REMOTE_ADDR}, script=${SCRIPT_NAME}, filename=${SCRIPT_FILENAME}, docroot=${DOCUMENT_ROOT}, pwd=${PWD}, uid=${UID}, user=$(whoami)
 
/usr/sbin/sendmail -t -i $*

Perl Version

#!/usr/bin/perl
#
# This will tell you who is emailing from your server and where from. Good for diagnosing which person has
# an insecure website and is sending spam via a PHP application. Possible to use for other services also.
#
# Put this into where ever you want the mail logged from. edit where $mailprog is for this particular server
# (if you use postfix or qmail etc then find the path and put that instead
#
# Edit php.ini and adjust the sendmail_path to be this script
# If you want to do it domain by domain you can add the following line into your virtualhost
#	php_admin_value sendmail_path "/usr/local/securemail/mail.pl "
#
# Now for the finale, chmod +x /usr/local/securemail/mail.pl (or where ever you put the script)
# touch /var/log/formmail.log ; chown www-data.www-data /var/log/formmail.log
# Basicly create and make sure apache user owns/can write to the log.
#
#
use strict;
use Env;
my $date = `date`;
chomp $date;
open (INFO, ">>/var/log/formmail.log") || die "Failed to open file ::$!";
my $uid = $>;
my @info = getpwuid($uid);
if($REMOTE_ADDR) {
print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
}
else {
 
print INFO "$date - $PWD - @infon";
 
}
my $mailprog = '/usr/sbin/exim -t ';
foreach (@ARGV) {
$arg="$arg" . " $_";
}
 
open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
while ( ) {
print MAIL;
}
close (INFO);
close (MAIL);

Update: I have had some problems with this on some systems, so reverted to the following PHP script instead of the perl one

#!/usr/bin/php
<?php
 
$sendmail_bin = '/usr/sbin/sendmail';
$logfile = '/var/log/formmail.log';
 
//* Get the email content
$logline = '';
$pointer = fopen('php://stdin', 'r');
 
while ($line = fgets($pointer)) {
 if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) {
 $logline .= trim($line).' ';
 }
 $mail .= $line;
}
 
//* compose the sendmail command
$command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++) {
 $command .= escapeshellarg($_SERVER['argv'][$i]).' ';
}
 
//* Write the log
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $_ENV['PWD'] . ' ' . $logline ."n", FILE_APPEND);
//* Execute the command
return shell_exec($command);
?>
This entry was posted in Rimuhosting, Security and tagged , , , , . Bookmark the permalink.

Comments are closed.