ID: 19538 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Assigned Bug Type: Feature/Change Request Operating System: ALL PHP Version: 4.2.3 Assigned To: derick New Comment:
IMHO, sendmail's (or whatever MTA you're using) logs should give that kind of information away, not headers produced by PHP. Luciano ES Santos, SP - Brasil Previous Comments: ------------------------------------------------------------------------ [2002-09-21 13:32:31] [EMAIL PROTECTED] Makes sense then... I'll have a look. Derick ------------------------------------------------------------------------ [2002-09-21 13:28:29] [EMAIL PROTECTED] I'm running safe_mode so executing/popening sendmail is not possible (theoretically). It's really very usefull. Now there is completly no way to identify source of mail. Also note that in most cases _not_ mine users are those who are spamming but other people through typical mail.php scripts (forms) put on web by mine users. Identifying script would allow me to fix it/protect or just tell user to remove it. ------------------------------------------------------------------------ [2002-09-21 12:35:07] [EMAIL PROTECTED] I've been thinking... and I don't think it's any useful to add those things. This is because it can be very easily compromised by just using popen("sendmail") or similar. ------------------------------------------------------------------------ [2002-09-21 12:19:48] [EMAIL PROTECTED] I suggest to add also sender IP as example X-php_sender_IP ------------------------------------------------------------------------ [2002-09-21 07:54:29] [EMAIL PROTECTED] The problem is that when any user sends email message from php script it always comes from ,,http'' (or whatever) user. There is no way to identify which script was used to send some mail. User sets all headers as he wants ;/ Sender is http@fqdn. On my systems users have a lot of php scripts and spammers use them to spam through my server! Identifying which script was used is quite problematic when there are tons of scripts. php currently doesn't give any information about which script was that - there is no usefull enviroment variables, there is no additional mail headers, working directory when calling sendmail is ,,/'' so I can't even do pwd to identify directory with php script. I'm suggesting adding way to identify source script. I thing about two ways of doing this: 1) set enviroment variable SCRIPT_FILENAME with same value as in php (and other variables) before executing sendmail so It would be possible to setup wrapper instead of sendmail and do whatever you want. 2) add option to php.ini like sendmail_id_header = yes|no that would cause adding some header to message like X-PHP-Script-Filename: /home/something/blah.php or even sendmail_id_header = name of php variable (that would cause to add X-Name-Of-PHP-Variable: it's value to mail message). Second is better because it works with SMTP, too. Opinions? ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=19538&edit=1