Feature to look for php scripts sending spam

Dear all

I was wondering if there is any option to know if exists or to make a feature who can look/warn/identifiy for PHP scripts sending SPAM

I know that one of the most used method to detect this is to have a special /var/log/phpmail.log file where all scripts using PHP mail feature will log in

And to add to php.ini the following :

mail.add_x_header = On mail.log = /var/log/phpmail.log

Virtualmin/Webmin do have any options to find those scripts using PHP mail feature ?

Can one be written in order to automate the above settings and to show you a list with the latest scripts/users using this feature ?

It will be very helpful to have this feature for a lot of people in the anti-spam fight

All the best

Status: 
Active

Comments

Joe's picture
Submitted by Joe on Tue, 10/31/2017 - 11:48 Pro Licensee

That's a great idea! I didn't even know PHP could log when it sends mail.

This is a bit trickier in a suexec environnment, as the user can change their own php.ini but for php-fpm and mod_php, I think it's entirely do-able. A log is a really good first step in detection of illicit use of mail.

Another good step (which we don't default to, as it would cause a lot of confusion) is to disallow local mail queue injection with the sendmail command (and most php apps that send mail locally) using the authorized_submit_users directive in Postfix. This one might be overkill, as it requires you to explicitly allow all of the users that should be able to submit mail; which would need to be all of the various system services that might send mail, etc.

I'll look into setting up logging in the default php.ini. It'll require setting up log rotation, as well, and I need to figure out how to handle it for fcgi execution mode (though I think most folks should be using php-fpm for non-trusted users these days, as it provides the administrator more control over the environment and restricts users quite a bit more).

Hi Joe

This feature could be domain related or system related. I mean there could be an option to set it on the entire Virtualmin install and hopefully the domain owner won't make any changes in php.ini, or to have it in the Enable Features (per domain) and to check it only if you want as you check for instance Antivirus

Fact is that I face two kind of spammers

1'st kind is the "password robber' and for this I have to log into console, then with a small script i'm trying to find which authenticated user has the latest and the most SASL authentications ( for instance in latest 20 minutes) - thus finding the source of he SPAM. For this, I believe that a simple feature will be to show the admin exactly this report of the most logged SASL username in the latest let's say 10-30 minutes.

2'nd kind is the PHP mailer spammer which is using various types of access in order to run PHP scripts sending SPAM. Here is the other feature I would like to propose ( if I may so ) which will look into this PHPmail.log and sort again the top of the 'users'

The rest is a matter of logic and deduction but having those two features in a handy manner I believe it will help a lot into a faster anti-spammer diagnostic, once we see that the mailq is exceeding a limit per time ( for this I also have a small script which is sending me email if at any 30 minutes the mailq is exceeding 40 mails deleting in the same time the mailq as I do not want to be taken by surprise during the night when usually spammer attack)

Many thanks for maintaining this absolutely lovely and handful software

Has this feature been added? If not, Are there plans to add it? I have tried editing the php.ini file from webmin, but looking at phpinfo for a site mail.log is still showing no value. I'm running php through fcgi. Is there another php.ini file I should be editing?

Found it! I need to add it to the domain/etc php.ini . It would be nice if we could do it through virtualmin. Reading further there may be permission problems using /var/log . I have seen it suggested that /var/tmp should be used. Any thoughts?

Done it manually for all domains. I modified each domains php.ini to set mail.log to be phpmail.log in that domain's log directory. Definitely would be a nice feature to add.