ID: 36341 Comment by: richard at indigo3 dot net Reported By: paul at xciv dot org Status: Open Bug Type: Feature/Change Request Operating System: FreeBSD PHP Version: 4.4.2 New Comment:
An interesting idea. Well worth the investment in time and effort. Previous Comments: ------------------------------------------------------------------------ [2006-03-06 16:11:00] simon at advantage-interactive dot com Excellent suggestions, would help tracking back spam ------------------------------------------------------------------------ [2006-03-04 21:33:26] tim at globalgold dot co dot uk I agree Paul's suggestion should be implemented. ------------------------------------------------------------------------ [2006-02-11 18:33:41] karl at kdawebservices dot com Both excellant ideas. I also believe there is a patch out in the wild for PHP that automatically adds a X header with the vhost domain - Perhaps this should be incorporated (with an ini option to turn it on/off) along with adding the path to the script as an X header as well. ------------------------------------------------------------------------ [2006-02-09 15:16:05] paul at xciv dot org Description: ------------ I have two suggestions for modifications to help combat the problem of mail form spam. Firstly I would like to see mail.force_extra_parameters back-ported to the 4.x branch - not everyone is ready to upgrade to 5.x in production yet. Secondly I would like to suggest that environment variables from the PHP environment are exposed to the sendmail binary. I will explain why this is useful. Reproduce code: --------------- With the mail.force_extra_parameters option, I can set different parameters per Apache vhost. This can be very useful because I can set custom parameters like: -xs my.vhost.domain How is this useful? Well if I then set a new sendmail_path to my own custom wrapper script I can pick up these custom parameters and do two things: 1. Log the originating vhost, number of recipients etc. 2. Add an X-Header: in the mail detailing which vhost the mail originated from - before passing it to the real sendmail. This allows me to track which vhost sent mail from the httpd! So I can now track which vhost may have an insecure mail form if I get spam reports. With say 100 vhosts this is *invaluable*. My second suggestion would make this a lot easier and a lot more expandable. If the PHP environment variables were exposed to sendmail then I could even pick up such details as the script filename etc and this would then not require the use of custom mail.force_extra_parameters. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=36341&edit=1
