virus sent vie webmail running on Apache
in [Postfix]
|
Prev: Email backup
Next: Apache / Postfix process
From: Joe on 7 May 2007 19:57 Hello, I currently use a simple php webmail form with php's mail() function doing the work to send messages to the site owner. However, viruses are being sent via the form. I tried adding a basic colaboration of amavis-new, ClamAV and spamassasin, but that filter does not seem to catch them. I assume they are injected into the Postfix process too late. Any idea how I can eliminate this? thanks Joe
From: J.O. Aho on 8 May 2007 00:21 Joe wrote: > Hello, > > I currently use a simple php webmail form with php's mail() function > doing the work to send messages to the site owner. > > However, viruses are being sent via the form. > > I tried adding a basic colaboration of amavis-new, ClamAV and > spamassasin, but that filter does not seem to catch them. I assume they > are injected into the Postfix process too late. > > Any idea how I can eliminate this? The data you get to the mail() from the "FROM" input box has to be stripped from injected headers. A really simple check for injection is to $newfrom=erege_replace("[\r\n]","",$from); if($newfrom==$from) { mail(...); } else { //header had injected data, don't send it } -- //Aho
From: ZeldorBlat on 8 May 2007 09:27 On May 8, 12:21 am, "J.O. Aho" <u...(a)example.net> wrote: > Joe wrote: > > Hello, > > > I currently use a simple php webmail form with php's mail() function > > doing the work to send messages to the site owner. > > > However, viruses are being sent via the form. > > > I tried adding a basic colaboration of amavis-new, ClamAV and > > spamassasin, but that filter does not seem to catch them. I assume they > > are injected into the Postfix process too late. > > > Any idea how I can eliminate this? > > The data you get to the mail() from the "FROM" input box has to be stripped > from injected headers. > > A really simple check for injection is to > > $newfrom=erege_replace("[\r\n]","",$from); > if($newfrom==$from) { > mail(...);} else { > > //header had injected data, don't send it > > } > > -- > > //Aho Of course str_replace works just as well and is probably faster: $newfrom = str_replace(array("\r", "\n"), '', $from);
From: jjohnston on 9 May 2007 10:49 On May 7, 7:57 pm, Joe <j_ev...(a)upfronttechnology.com> wrote: > Hello, > > I currently use a simple php webmail form with php's mail() function > doing the work to send messages to the site owner. > > However, viruses are being sent via the form. > > I tried adding a basic colaboration of amavis-new, ClamAV and > spamassasin, but that filter does not seem to catch them. I assume they > are injected into the Postfix process too late. > > Any idea how I can eliminate this? > > thanks > Joe PHP uses either the system's sendmail wrapper or SMTP depending on your php environment, server OS, and php.ini settings. The SMTP version of mail() is only available on Windows systems. In your case, using mail() is the same as sending the mail message via sendmail from a shell. This means that the mail is injected into the postfix queue after the after-queue content filter. Your best bet for a workaround is to use the PHPMailer or PEAR Mail packages to send your messages via SMTP to localhost. Good luck! Joshua
From: C. on 15 May 2007 17:34
On 8 May, 00:57, Joe <j_ev...(a)upfronttechnology.com> wrote: > Hello, > > I currently use a simple php webmail form with php's mail() function > doing the work to send messages to the site owner. > > However, viruses are being sent via the form. > > I tried adding a basic colaboration of amavis-new, ClamAV and > spamassasin, but that filter does not seem to catch them. I assume they > are injected into the Postfix process too late. > > Any idea how I can eliminate this? > Holy moley, you're letting users upload files into emails on your website then sending them using mail() !!!! ....and you wonder why you've got problems? Really, the question you're asking has nothing at all to do with PHP - unless you want to use PHP to launch clamscan on uploaded files before attaching them to emails (but bear in mind that anyone out to be malicious could always incorporate uuencded data inline). Clam + postfix worked a trick for me using clamsmtp. Its been a while since I looked at amavis - but even then it wasn't as bad as a lot of commercial AV tools. I'd try asking on a more apposite (i.e. amavis or postfix) newsgroup. C. |