Hello,
I currently use a simple php webmail form with php's mail() function
doing the work to send messages to the site owner.
However, viruses are being sent via the form.
I tried adding a basic colaboration of amavis-new, ClamAV and
spamassasin, but that filter does not seem to catch them. I assume they
are injected into the Postfix process too late.
Any idea how I can eliminate this?
thanks
Joe
Post removed (X-No-Archive: yes)
You could try cleaning the input. One example:
function sanitizeHeader($str)
{
$str = preg_replace("/[\r\n]|[^[:graph:][:space:]]/", '', $str);
return substr($str, 0, 998);
}
function sanitizeBody($str)
{
$str = preg_replace('/[^[:graph:][:space:]]/', '', $str);
$str = strip_tags($str);
return substr($str, 0, 65536);
}
if (isset($_REQUEST['subject'])) {
mail($to,
sanitizeHeader($_REQUEST['subject']),
sanitizeBody($_REQUEST['body']),
"From: " . sanitizeHeader($_REQUEST['from']));
}
?>
AFAIK, you shouldn't have a problem scanning outgoing email too. Is it
adding any headers to the email?
On May 7, 11:19 am, Joe
> Hello,
>
> I currently use a simple php webmail form with php's mail() function
> doing the work to send messages to the site owner.
>
> However, viruses are being sent via the form.
>
> I tried adding a basic colaboration of amavis-new, ClamAV and
> spamassasin, but that filter does not seem to catch them. I assume they
> are injected into the Postfix process too late.
>
> Any idea how I can eliminate this?
>
> thanks
> Joe
On May 7, 4:19 pm, Joe
> Hello,
>
> I currently use a simple php webmail form with php's mail() function
> doing the work to send messages to the site owner.
>
> However, viruses are being sent via the form.
>
> I tried adding a basic colaboration of amavis-new, ClamAV and
> spamassasin, but that filter does not seem to catch them. I assume they
> are injected into the Postfix process too late.
>
> Any idea how I can eliminate this?
>
> thanks
> Joe
use phpmailer, its a great class, set it to send non html mail, just
plain text. No header injection other nasties will be possible, but if
your machine has been compromised the viruses can be injected at any
point before the mail leaves. If you send through gmails smtp server
you can encrypt the connection making it hard for this to occur. Using
PHP you could also sign the email using an openssl private key, making
it easy to identify any changes.
In article <1178563042.879005.164170@p77g2000hsh.googlegroups.com>,
petersprc@gmail.com says...
> n't have a problem scanning outgoing email too. Is it
> adding any headers to the email?
>
>
Thanks much for the fast reply.
I have more info. It turns out the scum is putting porn links in the
email and sending it.
something like:
http://www.somepornsite.org/7/hanna.html
>hanna
again...
again...
I assume this is done by hand or some malicious software.
Any idea of an easy way to sanitize and remove all HTML?
Also, I am thinking I should be able to inject outgoing email into
Postfix and have it scan.
I added the "sandwhich loop" using the content filter in main.cf to run
through amavisd-new. I can telnet to port 25 in the local terminal and
send mail and it WILL filter it, but if I try to do it via the
webmailform from Apache, it won't catch it. I know Postfix is the agent
sending it. Am I injecting in the wrong place?
On May 8, 2:54 pm, Joe
> In article <1178563042.879005.164...@p77g2000hsh.googlegroups.com>,
> peters...@gmail.com says...> n't have a problem scanning outgoing email too. Is it
> > adding any headers to the email?
>
> Thanks much for the fast reply.
>
> I have more info. It turns out the scum is putting porn links in the
> email and sending it.
>
> something like:
>
>
>
> >hanna
>
> again...
>
> again...
>
> I assume this is done by hand or some malicious software.
>
> Any idea of an easy way to sanitize and remove all HTML?
>
> Also, I am thinking I should be able to inject outgoing email into
> Postfix and have it scan.
>
> I added the "sandwhich loop" using the content filter in main.cf to run
> through amavisd-new. I can telnet to port 25 in the local terminal and
> send mail and it WILL filter it, but if I try to do it via the
> webmailform from Apache, it won't catch it. I know Postfix is the agent
> sending it. Am I injecting in the wrong place?
well any good DNSBL will have those links, you could implement a check
like this, or put a captcha on your form.
There are many around, but most are very easy to get round, so do a
bit of research to see which are best. see http://sam.zoy.org/pwntcha/
for details of some good and bad ones in common use.
It's just some simple script posting to your simple form, I have this
kind of problem too, the simplest solution was to have the mail come
via a proxy I run on another machine (spampal), be passed through
spampal and spamassin (baysian filters) and DNSBL, and then forwarded
on to the real recipient, silly I know, but it works painlessly.
You can also figure our the location of the IP used to post spam, and
depending on the region, stop it there, this is quick and painless as
well, and most of your customers will probably be somewhere in the
same country I am guessing. There are free databases around with mysql
code ready to run which will give you country resolution