cPanel Admin please read! - httpd.conf modification to prevent spam from php mail()

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
Often you will see spam or abuse of the php mail function which is very hard to trace due to the mail being sent by 'nobody'.
I know you can disable nobody from sending mail, but that prevents php mail from working altogether.
With this simple modification of the httpd.conf you can see who sent the mails:

php_admin_value sendmail_path "/usr/sbin/sendmail -t -i -r USERNAME"

You need to put that in each users virtualhost, and change USERNAME to the actual username.
This causes the return address to become [email protected] which can be used to track who sent the mail.
Hopefully cpanel can consider this for the next release, or make it an option like open_basedir
 
Last edited:

internethosting

Well-Known Member
Aug 18, 2003
68
0
156
I love this!.. Can Cpanel put together a little script we can run to have this added to the httpd.conf automatically.???
 

jamesbond

Well-Known Member
Oct 9, 2002
737
1
168
Originally posted by hostultra
Hopefully cpanel can consider this for the next release, or make it an option like open_basedir
I hope they will, I don't think it will be much work as it is basically the same logic as the open_basedir feature.
 

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
One thing i forgot to mention:

For this to work at all you need to goto Exim Configuration Editor advanced mode and in the first large edit box put in this line

trusted_users = nobody

All trusted users does is allow the nobody user to use the -r option to set the sender on the command line. This MAY cause future annoyances if you allow the php exec and system functions.
 

MichaelShanks

Well-Known Member
PartnerNOC
Aug 20, 2001
103
0
316
I see this issue has not been addressed, I am of the opinion that this should at least have a cpanel developer look into it, it is a relatively simple modifcation that can be made to the /scripts/initsuexec script,
 

Website Rob

Well-Known Member
Mar 23, 2002
1,501
1
318
Alberta, Canada
cPanel Access Level
Root Administrator

richy

Well-Known Member
Jun 30, 2003
274
1
168
13 votes now, but at 2004-04-29 14:56:45 [email protected] did assign it to depend on bug #128 ("cPanel 9.4 TODO"), so hopefully it'll be coming shortly...
 

cPanelNick

Administrator
Staff member
Mar 9, 2015
3,481
35
208
cPanel Access Level
DataCenter Provider
This will not be done because it opens up a security hole to make it happen. Please read the bugzilla bug report for more information.
 

hostultra

Well-Known Member
Aug 21, 2002
167
0
166
Here is a better way which does not make a security hole:

Upload the following as /usr/sbin/phpsendmail and chmod 755

Code:
#!/usr/bin/perl

$/ = null;
$input = <STDIN>;

open (MAIL, "|/usr/sbin/sendmail -t -i");
print MAIL qq~X-PHP-SENDER: $ARGV[0]
$input~;
close(MAIL);
Edit /scripts/phpopenbasectl
Change line 71 to:

print HC "<IfModule mod_php4.c>\nphp_admin_value open_basedir \"${homedir}/:/usr/lib/php:/usr/local/lib/php:/tmp\"\nphp_admin_value sendmail_path \"/usr/sbin/phpsendmail $owner\"\n</IfModule>\n";

chattr +i /scripts/phpopenbasectl
Goto WHM and rebuild the php open basedir
 

gorilla

Well-Known Member
Feb 3, 2004
694
1
168
Sydney / Australia
This is what GrandMaster J. Nick Koston had to say to this Idea
Comment #2 From J. Nick Koston 2004-05-17 01:04 -------
in theory this is a good thing, but it always allows anyone to forge anything to
any other user. Since you have to trust nobody. In effect you are letting
anyone masq as an other user on the server. This is actually more dangerous.

For instance, the user sam could spam with their own script and just call
sendmail with -r fred. Since php runs as nobody and you are trusting nobody you
have just let the guility place the blame on the innocent.

I'm marking this as invalid because it in effect IS A SECURITY HOLE!
Comment #2 From J. Nick Koston 2004-05-17 01:04 -------