php mail() sending emails not related with domain

morb

Registered
Mar 22, 2011
2
0
51
Hi, I had a user acount with php code injected (trought joomla).
The code is a form to send email thought mail(), i found it sending email from a non existent domain in my server. It had as FROM [email protected], how can I stop this ? Block php from sending emails from non existent domains or from sending emails not related with the domain is being executed.

sendmail_path = "/usr/sbin/sendmail -t -i -f [email protected]{DMN_NAME}" ??? how to do this ?
 

cPanelTristan

Quality Assurance Analyst
Staff member
Oct 2, 2010
7,607
40
248
somewhere over the rainbow
cPanel Access Level
Root Administrator
You can remove sendmail and only allow SMTP authentication from PHP scripts. sendmail doesn't have the capabilities of exim for configuration and it's neigh impossible to prevent spoofing and spamming using it. Joomla specifically has the option to use SMTP authentication to send emails in the configuration settings.

Yes, some users would have to modify their scripts who have not set them to use SMTP authentication if sendmail is no longer on the system, but that's the price to pay for increased security.

Now, if you do enable SMTP authentication only and want to prevent spoofing using it, you can put the following ACL into the exim configuration:

Code:
acl_check_data:
deny
 authenticated	 = *
 condition = ${if or {{ !eqi{$authenticated_id} {$sender_address} }\
  { !eqi{$authenticated_id} {${address:$header_From:}} }\
 }\
 }
 message	 = Your FROM must be as the account you have authenticated with, your email is not delivered.
This would go into the box where it has begin acl directly about it (the second box in the WHM > Exim Configuration > Advanced Editor area) and should prevent spoofing via webmail and anyone authenticating with SMTP.

I actually mention the above rule along with some other tips to help with tracking spammers in this forum post:

http://forums.cpanel.net/f43/open-relay-170798-p2.html#post777302