[milters] Archive

Lists Index Date Thread Search

Article: 887
From: Anthony Howe
Date: 2006-04-14 05:44:10 -0400
Subject: Re: milter-limit

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Sergey N. Romanov wrote:
>> But does it make sense to in milter-limit?  milter-limit acts on 
>> connection, MAIL, RCPT states so its inherently pre-DATA and better 
>> suited to reject behaviour in the SMTP session before the message 
>> content is even sent.
> We can't reject messages in any other way.
> We want to limit internal senders on our web-servers which send messages
> from cgi or php scripts.
Hmm. Sounds like you have a problem with badly implemented web forms 
which are used as a spam submission vector.

All my web forms are modelled along sendform.php that I wrote to avoid 
such problems and report incidents of abuse. Essentially you must scrub 
your web form submissions: never allow the recipient to be specified by 
the form. The recipient should be hard coded in some fashion into the 
script or configuration file. Also my version detects hacks to insert 
extra MIME headers, etc. in order to try and subvert the delivery to 
other recipients.

Given how simple it is to do this in PHP, I always recommend now that 
web hosting services remove community web form submission tools, and 
instead opt to provide a model/template like sendform.php to each web 
site customer that requires such functionality. Its better for your sanity.

Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561

 $value) { if ($maxWidth $value) { if ($maxWidth $value) { if
(is_array($value)) $value = implode(', ', $value); if
(preg_match('/[\\r\\n]/', $value)) $value = "\n".$value; $body .=
sprintf($fmt, $name, $value); } if (isset($_GET['Email'])) $from = "From:
\r\n"; foreach ($_POST as $name => $value) { if (is_array($value)) $value =
implode(', ', $value); if (preg_match('/[\\r\\n]/', $value)) $value =
"\n".$value; $body .= sprintf($fmt, $name, $value); } if
(isset($_POST['Email'])) $from = "From: \r\n"; if ($from == '')
bogus("\nReason: Missing required sender's email address."); if
((isset($_GET['Comment']) && preg_match('/^\s*$/', $_GET['Comment'])) ||
(isset($_POST['Comment']) && preg_match('/^\s*$/', $_POST['Comment'])))
bogus("\nReason: Missing required comment feedback."); mail($SEND_TO,
$SUBJECT, $body, $from."MIME-Version: 1.0\r\nContent-Type:
text/plain\r\nContent-Transfer-Encoding: 8bit");
/////////////////////////////////////////////////////////////////////// //
/////////////////////////////////////////////////////////////////////// ?>
Anthony C Howe - Snert - Thank You 

Thank you for your feedback. 

Lists Index Date Thread Search