So I am sure if you are running a cPanel server you are having the exact same trouble as we have been having the last week, lots of spam! It appears there is somebody in this world that has decided to write a rather efficient script that searches for webforms then sends spam via php and bcc. The first quick fix was to enable safe_mode but that obviouslly gets a fair amount of webhosting clients pretty bad. I have been working with mod_security and come up with a pretty simple rule that should help:
SecFilterSelective THE_REQUEST "bcc:|Bcc:|BCc:|BCC:|bCc:|bCC:|bcC:|BcC:"
What that will do is search first for the bcc, Bcc, etc then look for com, org, or net in a url. I was trying to filter it looking for an @ symbol but I was having trouble with apache picking it up. I figure if they are not spamming to one of those TDLs it is probably not a very big attack. If you want to protect more simply add to the list, remember all it has to do is catch one and it blocks the entire request.
Enjoy :)
May I ask what file do I
May I ask what file do I specifically put that line?
Very nice howto. Thanks!
mod_sec
Go ahead and follow this guide to install mod_security http://www.eth0.us/mod_security
basically that line needs to go into the httpd.conf but it only works if you have mod_security installed. If you follow that guide it will already have the rule.
THE_REQUEST or POST?
im not thinking the mail function works on THE_REQUEST and is used in POST with php... i may be wrong, but just a thought.
It depends on how it is
It depends on how it is called, some do use post but a lot of them use it in the request. The reason I am not doing post is because it will trigger a lot more false positives. This alreayd is pretty broad but it is also fairly important in helping cut back on same. You can certainly set it up to scan the post but I think you will end up getting too many problems with false positives.
Real issue
As far as I can say, that problem affects all kind of appliances, OS, brands, etc. The problem is caused by low-level coders (mainly php) who doesn't validate their form's input allowing the attacker to send extra information.
Usually when coding php on a mail form script you take the variable $name and $email from your form and use them on your php function: mail($toemail,$subject,$headers)
The $headers var contains strings like "From: some@email.com\r\n", so... (I hope you are not lost :¬)) some people likes to receive emails from their forms FROM the name and email of the person who sent the form.
Explaining that from another point of view, let's say the email field on a form is filled like "thisismyemail.com\r\nBcc: mail1@yahoo.com, mail2@yahoo.com, mail3@yahoo.com ...." that will generate a big security hole because the attacker will attemp to send spam from your box and you will be blacklisted (like happened to me).
There are 2 more options plus eth0's suggestion:
1. Edit all php files that include the mail function and change the $headers variable to something static, don't let the input data changes $headers variable unless you know how to do the suggestion #2.
2. Create a simple function that removes maliciuos characters from your $name and $email variable, something that first removes all ",\n\r;". I would like to paste a simple php code of a quick solution but I think is not gonna be uploaded as I want so if someone is interested contact me :)
That was my experience against that issue and now I'm not blacklisted and server's load average is low again :D
Have fun!
xUx
the other direction
Now .. If i have many customers on my server and they have mailing lists or forums .. they are sending many of mail to their members ... How can I prevent or configuring the function Mail() on the server to prevent them sending amount over 10 messages per once for example .. .
is their any Idea ??