Re: we were attacked

[Craig Sanders <cas@taz.net.au>]

On Sat, Apr 08, 2006 at 09:50:58AM -0400, Ward Vandewege wrote:
> > > 4) use wrapper for emails - I have one which includes special headers to
> > > mails sent from php, I'm going to modify it to support limits on no. of
> > > mails sent in timeframe
> > 
> > I hope you share this.
> 
> Here's an example of such a wrapper:

this is useful but far from foolproof. any script can open a connection
to "localhost:25" and speak SMTP directly to the local mail server. if
the web server isn't running an smtp server (which is very unlikely -
most do, if only to cater for formmail scripts, and to forward system
mail to the sysadmin) the attacker can check the MX record for the
domain being attacked and connect directly to port 25 of the mail host.


> # Just make all e-mail come from webmaster@ the domain. That address _should_
> # always be defined.
> (out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv[1])

i do the exact opposite. i require all mail sent by web scripts to go
to a real person, whoever is responsible for that script (which may be
webmaster for the domain or it may not)....and failing to set a sender
address (so that it goes to www-data) is grounds for deletion/disabling
of the script.

the reason for this is that most webmaster mail is ignored (or
lost in all the spam sent to webmaster addresses), so i want any
bounces/responses to go to someone who will see it and be annoyed enough
about it to do something (even if that something is just to ask me for
help). it's hard to ignore the fact that a script on your site is being
exploited if you get a few hundred bounces in your mailbox because of
it.


craig

-- 
craig sanders <cas@taz.net.au>           (part time cyborg)