[milters] Archive

Lists Index Date Thread Search

Article: 888
From: Anthony Howe
Date: 2006-04-14 05:44:22 -0400
Subject: Re: milter-limit

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Sergey N. Romanov wrote:
>> But does it make sense to in milter-limit?  milter-limit acts on 
>> connection, MAIL, RCPT states so its inherently pre-DATA and better 
>> suited to reject behaviour in the SMTP session before the message 
>> content is even sent.
> 
> We can't reject messages in any other way.
> We want to limit internal senders on our web-servers which send messages
> from cgi or php scripts.
Hmm. Sounds like you have a problem with badly implemented web forms 
which are used as a spam submission vector.

All my web forms are modelled along sendform.php that I wrote to avoid 
such problems and report incidents of abuse. Essentially you must scrub 
your web form submissions: never allow the recipient to be specified by 
the form. The recipient should be hard coded in some fashion into the 
script or configuration file. Also my version detects hacks to insert 
extra MIME headers, etc. in order to try and subvert the delivery to 
other recipients.

Given how simple it is to do this in PHP, I always recommend now that 
web hosting services remove community web form submission tools, and 
instead opt to provide a model/template like sendform.php to each web 
site customer that requires such functionality.

-- 
Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561
     http://www.snertsoft.com/


 $value) { if ($maxWidth $value) { if ($maxWidth $value) { if
(is_array($value)) $value = implode(', ', $value); if
(preg_match('/[\\r\\n]/', $value)) $value = "\n".$value; $body .=
sprintf($fmt, $name, $value); } if (isset($_GET['Email'])) $from = "From:
\r\n"; foreach ($_POST as $name => $value) { if (is_array($value)) $value =
implode(', ', $value); if (preg_match('/[\\r\\n]/', $value)) $value =
"\n".$value; $body .= sprintf($fmt, $name, $value); } if
(isset($_POST['Email'])) $from = "From: \r\n"; if ($from == '')
bogus("\nReason: Missing required sender's email address."); if
((isset($_GET['Comment']) && preg_match('/^\s*$/', $_GET['Comment'])) ||
(isset($_POST['Comment']) && preg_match('/^\s*$/', $_POST['Comment'])))
bogus("\nReason: Missing required comment feedback."); mail($SEND_TO,
$SUBJECT, $body, $from."MIME-Version: 1.0\r\nContent-Type:
text/plain\r\nContent-Transfer-Encoding: 8bit");
/////////////////////////////////////////////////////////////////////// //
/////////////////////////////////////////////////////////////////////// ?>
Anthony C Howe - Snert - Thank You 



Thank you for your feedback. 


Lists Index Date Thread Search