Rock solid solution is to separate htdocs (a folder that is accessible via
web) from the code folder (the one with scripts).
I do not know how that could be done with PHP (I believe you can serve
static files with nginx and run php as FPM connected to the nginx with
FastCGI) but in Python world we
Dnia 19.10.2020 o godz. 18:26:28 Demi M. Obenour pisze:
> Can this be mitigated by denying the PHP user write permission on
> any directory where PHP files will be executed?
There are multiple methods to mitigate this, this may be one of them.
But unsecured scripts that allow such behaviour are
On 10/19/20 3:29 PM, Jaroslaw Rafa wrote:
> Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze:
>> Sorry not to be able to give a definitive answer. Typical mail injection
>> via php will use a script that already calls the php mail function or
>> similar functions that open the smtp connection.
Bob Proulx wrote:
> The default PHP "mail()" method sends mail by using the system's
> /usr/sbin/sendmail interface rather than SMTP.
>
> https://www.php.net/manual/en/mail.requirements.php
> https://www.php.net/manual/en/function.mail.php
Oh! It depends upon the system's php.ini
If someone hacked your PHP script, he or she may add any code to it,
including code that connects to your smtpd and sends email.
In PHP one can use mail() function (which can use TCP connection to the
localhost:25 according to the settings in php.ini) or establish connection
directly.
As we can
Rich Wales wrote:
> If the problem were in fact due to a hijacked PHP page, btw, would this
> necessarily require the page to be using e-mail or TCP connections
> already for its own legitimate purposes, but being co-opted by a hacker
> to nefarious ends? Or could *any* PHP script theoretically
Dnia 19.10.2020 o godz. 21:12:20 John Fawcett pisze:
> Sorry not to be able to give a definitive answer. Typical mail injection
> via php will use a script that already calls the php mail function or
> similar functions that open the smtp connection. But there are other
> attack vectors that are
On 19/10/2020 20:50, Rich Wales wrote:
> John Fawcett wrote:
>
>> One thing I would suggest looking at is if there is a web server running
>> on the same host it may be allowing email to be injected into postfix
>> via smtp on the loopback interface using some scripting language like
>> php or
John Fawcett wrote:
> One thing I would suggest looking at is if there is a web server running
> on the same host it may be allowing email to be injected into postfix
> via smtp on the loopback interface using some scripting language like
> php or others.
I suppose that's possible.
I spent some
On 18/10/2020 06:32, Viktor Dukhovni wrote:
> On Sat, Oct 17, 2020 at 09:14:50PM -0700, Rich Wales wrote:
>
>> Thanks. I was actually thinking something of the sort myself -- my
>> server is indeed behind a separate firewall appliance.
>>
>> However, other e-mail (such as your recent reply to my
On Sat, Oct 17, 2020 at 09:14:50PM -0700, Rich Wales wrote:
> Thanks. I was actually thinking something of the sort myself -- my
> server is indeed behind a separate firewall appliance.
>
> However, other e-mail (such as your recent reply to my inquiry) is NOT
> exhibiting this same NAT/proxy
> No, it says no such thing. It says the EHLO name was [154.91.34.144],
> the client IP was however 127.0.0.1. It seems you have some sort of
> proxy or NAT in place that masks the real external IP address, making
> all connections appear to originate from 127.0.0.1. That would sure
> explain
On Sat, Oct 17, 2020 at 08:41:25PM -0700, Rich Wales wrote:
> Received: from memoryalpha.richw.org ([127.0.0.1])
> by localhost (memoryalpha.richw.org [127.0.0.1]) (amavisd-new, port
> 10024)
> with ESMTP id D0t9j6VORyNH for ;
> Thu, 15 Oct 2020 14:48:06 -0700 (PDT)
>
Sorry, when I said "chronologically last 'Received:' line" in my earlier
e-mail, I meant to say "chronologically first (physically last)". Mea
culpa.
Rich Wales
ri...@richw.org
> /Show evidence (logging) and turn of verbose logging. Wietse/
OK, here is the message header for one of the spam e-mails (which did
not get deleted during my mass cleanup efforts because a copy was saved
in my amavisd-new quarantine database):
X-Envelope-From:
X-Envelope-To:
Rich Wales:
> > Why do you believe that your server is an open relay, as in, it
> > will forward messages FROM spammers TO remote destinations.
> > Wietse
>
> Because it *is* accepting messages from outsiders (spammers) and is
> using my server to relay those messages to remote destinations. It
On 2020-10-16 21:16, Bill Cole wrote:
> Based on your config and descriptions, it smells like a compromised
> account being used to pump mail through your submission service. A full
> set of log lines for one of the messages should reveal that. The
> master.cf lines for smtpd and submission would
On 16 Oct 2020, at 18:20, Rich Wales wrote:
Hi. My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
recently started attracting open relay spam. I thought I had done all
the appropriate things in Postfix to block open relay traffic, and I
hadn't seen any such traffic for a very
On Oct 16, 2020, at 11:17 PM, Rich Wales wrote:
>
> No, Viktor, I have not deleted my logs. However, there is so much stuff
> in the Postfix log (/var/log/mail.log on my system) -- including both
> good e-mail messages and bad, overlapped every which-way, multiple
> Postfix processes, etc. --
No, Viktor, I have not deleted my logs. However, there is so much stuff
in the Postfix log (/var/log/mail.log on my system) -- including both
good e-mail messages and bad, overlapped every which-way, multiple
Postfix processes, etc. -- that I don't think I can reasonably hope for
anyone to be
On Oct 16, 2020, at 10:28 PM, Rich Wales wrote:
>
> The next time I see this happen -- could be tomorrow, could be weeks
> from now, I have no idea when -- I'll gladly forward a copy of my
> "mailq" output. I deleted my earlier evidence, I'm afraid.
No "mailq" output needed. Just the relevant
> Why do you believe that your server is an open relay, as in, it
> will forward messages FROM spammers TO remote destinations.
> Wietse
Because it *is* accepting messages from outsiders (spammers) and is
using my server to relay those messages to remote destinations. It was
(and still is) my
tests which I assume means different
methods.
Original Message
From: wie...@porcupine.org
Sent: October 16, 2020 3:27 PM
To: postfix-users@postfix.org
Reply-to: postfix-users@postfix.org
Subject: Re: Mail server recently became an open relay
Rich Wales:
> Hi. My mail ser
Rich Wales:
> Hi. My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
> recently started attracting open relay spam. I thought I had done all
Why do you believe that your server is an open relay, as in, it
will forward messages FROM spammers TO remote destinations.
Wietse
Hi. My mail server (memoryalpha.richw.org), running Postfix 3.3.0,
recently started attracting open relay spam. I thought I had done all
the appropriate things in Postfix to block open relay traffic, and I
hadn't seen any such traffic for a very long time, but suddenly I've
gotten three attacks
25 matches
Mail list logo
