#19538 [Opn]: No way to identify source of email sent by mail()

Sat, 21 Sep 2002 10:06:02 -0700 

 ID:               19538
 Updated by:       [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
 Status:           Open
 Bug Type:         Feature/Change Request
 Operating System: ALL
 PHP Version:      4.2.3
 New Comment:

I've been thinking... and I don't think it's any useful to add those
things.
This is because it can be very easily compromised by just using
popen("sendmail") or similar.


Previous Comments:
------------------------------------------------------------------------

[2002-09-21 12:19:48] [EMAIL PROTECTED]

I suggest to add also sender IP as example
X-php_sender_IP

------------------------------------------------------------------------

[2002-09-21 07:54:29] [EMAIL PROTECTED]

The problem is that when any user sends email message from php script
it always comes from ,,http'' (or whatever) user.

There is no way to identify which script was used to send some mail.
User sets all headers as he wants ;/ Sender is http@fqdn.

On my systems users have a lot of php scripts and spammers use them to
spam through my server! Identifying which script was used is quite
problematic when there are tons of scripts. php currently doesn't give
any information about which script was that - there is no usefull
enviroment variables, there is no additional mail headers, working
directory when calling sendmail is ,,/'' so I can't even do pwd to
identify directory with php script.

I'm suggesting adding way to identify source script. I thing about two
ways of doing this:
1) set enviroment variable SCRIPT_FILENAME with same value as in php
(and other variables) before executing sendmail so It would be possible
to setup wrapper instead of sendmail and do whatever you want.
2) add option to php.ini like sendmail_id_header = yes|no
that would cause adding some header to message like
X-PHP-Script-Filename: /home/something/blah.php
or even sendmail_id_header = name of php variable
(that would cause to add X-Name-Of-PHP-Variable: it's value to mail
message).
Second is better because it works with SMTP, too.

Opinions?



------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=19538&edit=1

Reply via email to