Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to limit outbound SMTP mail sent from PHP

We have shared hosting servers which use PHP fastcgi (on IIS) for several clients (shared hosting). Regularly clients use old exploitable code which causes holes in their applications that eventually gets used by hackers to install malicious code. Most of the time this code is being used to send spam from our servers.

We have no control over our clients code, so patching the holes is quite impossible.

We would however like to block the clients sending spam once they send more then X email messages in Y amount of time.

The setup is fastcgi based, so there is little relation between php and the webserver. PHP sends its mail through SMTP on localhost. The mailserver allows relay of all localhost connections (obviously).

One thing that goes through my mind is setting an environment variable containing an identifier in the fastcgi environment and using php's prepend file option to add a header to all mail send by php's mailer. After that we could use that mail header to identify the spamming culprit.

The option above still would not take care of spam scripts using regular telnet (telnet localhost, HELO, MAIL FROM etc... ) when sending email.

My question to you: is the idea that i've mentioned the best and perhaps only option to deal with our issue? Or are there better solutions for this situation? And if so, please explain how you would deal with the issue.

like image 866
Damien Overeem Avatar asked Jun 20 '13 14:06

Damien Overeem


People also ask

Does PHP mail () use SMTP?

On a *nix machine, the PHP mail() function does not support SMTP, but instead uses the sendmail() or other configured mail script on the server. This script can send through an SMTP, but this isn't the easiest way within PHP (unless you already have the script). To use SMTP, I would recommend PHPMailer.

What is the limitation on message line in sending emails using PHP?

PHP imposes no arbitrary limits. If you're trying to send one email with 1000 addresses in a single BCC header, you'll run into issues with your mail server before you run into issues with PHP. The simple alternative is to send 1000 emails each with one recipient.


2 Answers

You can filter that on you MTA (message transfer agent). For example, allow no more than 50 emails in 1 hour for each user in Exim ( http://www.exim.org ) config file (/etc/exim/exim.conf):

begin acl

acl_check_not_smtp:
warn ratelimit = 0 / 1h / strict / $sender_address_local_part
log_message = Sender rate $sender_rate / $sender_rate_perio

acl_not_smtp = acl_not_smtp
begin acl
acl_not_smtp:
        deny message = Sender rate overlimit - $sender_rate / $sender_rate_period
        ratelimit = 50 / 1h / strict
        accept

And no matter how they try to send, via php mail() or other method.

like image 153
ToxaBes Avatar answered Nov 09 '22 03:11

ToxaBes


Most shared hosts block the use of PHP's mail() function, as that can be easily exploited. Instead they advice using sendmail or similar scripts which require SMTP authentication before sending. Assuming you're not already doing this, once implemented, you should be able to keep track of number of emails sent from a particular domain/email account and put restrictions on it.

like image 32
mani Avatar answered Nov 09 '22 05:11

mani