Re: we were attacked
On Sun, Apr 09, 2006 at 10:31:55AM +1000, Craig Sanders wrote:
> On Sat, Apr 08, 2006 at 09:50:58AM -0400, Ward Vandewege wrote:
> > > > 4) use wrapper for emails - I have one which includes special headers to
> > > > mails sent from php, I'm going to modify it to support limits on no. of
> > > > mails sent in timeframe
> > >
> > > I hope you share this.
> > Here's an example of such a wrapper:
> this is useful but far from foolproof. any script can open a connection
> to "localhost:25" and speak SMTP directly to the local mail server. if
> the web server isn't running an smtp server (which is very unlikely -
> most do, if only to cater for formmail scripts, and to forward system
> mail to the sysadmin) the attacker can check the MX record for the
> domain being attacked and connect directly to port 25 of the mail host.
Quite - and you need to tell php to use sendmail rather than smtp for the
mail() function, etc. I assumed it was obvious that any mailserver on the
same host/other hosts that are accesible from it on port 25 should be
firewalled. After all this wrapper only traps php's mail() function.
> > # Just make all e-mail come from webmaster@ the domain. That address _should_
> > # always be defined.
> > (out, s) = popen2('/usr/sbin/sendmail -t -i -f webmaster@' + sys.argv)
> i do the exact opposite. i require all mail sent by web scripts to go
> to a real person, whoever is responsible for that script (which may be
> webmaster for the domain or it may not)....and failing to set a sender
> address (so that it goes to www-data) is grounds for deletion/disabling
> of the script.
Yes, that's another way of dealing with it. Hardcoding the sender to
webmaster@ was a bit of an experiment - it's mostly to make sure that there
is a valid sender address - otherwise my mailservers will simply refuse to
accept the message for delivery.
Pong.be -( "Just wait, My crystal ball is infallible." -- Linus )-
Virtual hosting -( Torvalds, discussing the future of smart I/O hardware. )-
http://pong.be -( )-
GnuPG public key: http://gpg.dtype.org