Maybe this is only semi-OT since we do sometimes discuss spam issues not strictly within the confines of MD/SA, but I wanted to share with the list what happened to me yesterday.
I'm the administrator for, among other things, our campus web server. I thought I had taken all the right precautions: Keep the machine patched, run the latest Apache server release, don't let users install their own CGI scripts, etc. In spite of all that, I discovered to my horror yesterday that the web server had been used to send thousands of spam emails. It may have even been in the tens of thousands. How did they do it? Via PHP. Or rather, a user-installed PHP script that was insecure. The user didn't actually write it, it was created by something called PHP FormMail Generator. The resulting script is subject to SMTP header injection, where by sending form variables (which are not sanity-checked) with newlines, they can create a message within a message, and deliver their spam courtesy of me. I believe the spammers found this script by Google searching for some comments that the script generator puts in the resulting script. Unfortunately, turning off PHP was not an option. Neither is my personally checking all PHP scripts. The solution had to be at the server side. That's when I found an Apache module called mod_security. It is conceptually similar to MD in that you can apply filters against the HTTP requests and return an error status if a filter is triggered. When I came in this morning, I found that it had blocked hundreds of attempts to exploit this script (which had been disabled anyway) and only three false positives (and I have tweaked the filter so that won't happen again). I won't go into more details here, but if anyone wants to discuss this further, feel free to contact me off-list. But I will *strongly* urge anyone who hosts web sites for users and runs PHP to look into this. I believe this exploit may be fairly new, in that I could find very little on the web about it. Don't let this happen to you. Jim McCullars University of Alabama in Huntsville _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
