9

We have shared hosting servers which use PHP fastcgi (on IIS) for several clients (shared hosting). Regularly clients use old exploitable code which causes holes in their applications that eventually gets used by hackers to install malicious code. Most of the time this code is being used to send spam from our servers.

We have no control over our clients code, so patching the holes is quite impossible.

We would however like to block the clients sending spam once they send more then X email messages in Y amount of time.

The setup is fastcgi based, so there is little relation between php and the webserver. PHP sends its mail through SMTP on localhost. The mailserver allows relay of all localhost connections (obviously).

One thing that goes through my mind is setting an environment variable containing an identifier in the fastcgi environment and using php's prepend file option to add a header to all mail send by php's mailer. After that we could use that mail header to identify the spamming culprit.

The option above still would not take care of spam scripts using regular telnet (telnet localhost, HELO, MAIL FROM etc... ) when sending email.

My question to you: is the idea that i've mentioned the best and perhaps only option to deal with our issue? Or are there better solutions for this situation? And if so, please explain how you would deal with the issue.

4

4 回答 4

4

您可以在 MTA(消息传输代理)上对其进行过滤。例如,在 Exim ( http://www.exim.org ) 配置文件 (/etc/exim/exim.conf) 中允许每个用户在 1 小时内不超过 50 封电子邮件:

begin acl

acl_check_not_smtp:
warn ratelimit = 0 / 1h / strict / $sender_address_local_part
log_message = Sender rate $sender_rate / $sender_rate_perio

acl_not_smtp = acl_not_smtp
begin acl
acl_not_smtp:
        deny message = Sender rate overlimit - $sender_rate / $sender_rate_period
        ratelimit = 50 / 1h / strict
        accept

无论他们如何尝试发送,通过 php mail() 或其他方法。

于 2013-06-23T19:10:30.047 回答
2

好吧,坚持我这个。我还没有实现它,但它看起来不错。

这里的概念是你可以

  1. 在客户网站上的每个页面之前运行一个 php 文件
  2. 在该 php 文件中,将邮件函数重命名为 mail_internal()。
  3. 在该 php 中创建一个名为 mail 的新函数来检查/验证您的客户是否被允许发送邮件,如果他们使用相同的参数调用 mail_internal() 函数。

您必须安装 runkit PECL 扩展 http://us.php.net/manual/en/runkit.installation.php

变化

在 php.ini 中

auto_prepend_file /var/www/allclients_forcedfile.php

在 /var/www/allclients_forcedfile.php

runkit_function_rename ( "mail" , "mail_internal" );
function mail (   $to ,   $subject ,   $message, $additional_headers = "",   $additional_parameters ="" )
{
     $args = func_get_args();
     error_log("mail_internal : $_SERVER[HTTP_HOST] : ".implode(" : ",$args));
     //lookup whether you want to send more mail for this client  maybe by keeping a counter in some file in the $SERVER[DOCUMENT_ROOT]
     if($sendmoremail)
            return mail_internal (   $args[0],   $args[1] ,   $args[2], $args[3]  ,   $args[4]   );
     return false;
}
于 2013-06-29T16:51:30.987 回答
2

大多数共享主机阻止使用 PHP 的 mail() 函数,因为它很容易被利用。相反,他们建议使用 sendmail 或在发送前需要 SMTP 身份验证的类似脚本。假设您还没有这样做,一旦实施,您应该能够跟踪从特定域/电子邮件帐户发送的电子邮件数量并对其进行限制。

于 2013-06-21T01:37:54.993 回答
1

正如预期的那样,堆栈溢出似乎不是这个问题的正确位置。提供的答案没有公开一些明确的方法来识别 FastCGI 会话与 MTA (SMTP) 服务器的连接。

我将采用我最初的概念,即向 php 的环境添加标识符。可以使用该函数在 PHP 的prepend文件中读取此标识符。getenv()然后可以将此标识符添加到外发邮件的邮件标题中。

此外,我启用了mail.add_x_headerini 设置,这将有助于识别导致垃圾邮件运行的脚本。

我在赏金期间将问题悬而未决,希望其他选项会神奇地出现:)

于 2013-06-25T06:48:31.570 回答