hello everyone,

first of all... i'm sorry if this has been asked like a million times
before... but i've been looking for info about this and found nothing so
far.

anyway....

I've got a server with apache2 and postfix and php5 providing hosting to
some clients. I've got this big problem about clients sending spam
massively, either consciously or because they website have been hacked.
The main way to spam is by using the "mail()" function.
So far, i've only found how to disable the use of the mail() function
completely in the php.ini file, but it's not a really good option to me,
cause i run some server scripts to check for some things and they send
some mails when they find something wrong.

So... i would like to know what options i have if i want to limit this
function...

can i disable the function only for some users?
may be i can set a rate limit for it?

thanks.

Jordi Moles wrote:

> I've got a server with apache2 and postfix and php5 providing hosting
> to some clients. I've got this big problem about clients sending spam
> massively, either consciously or because they website have been
> hacked. The main way to spam is by using the "mail()" function.
> So far, i've only found how to disable the use of the mail() function
> completely in the php.ini file, but it's not a really good option to
> me, cause i run some server scripts to check for some things and they
> send some mails when they find something wrong.
>
> So... i would like to know what options i have if i want to limit this
> function...
>
> can i disable the function only for some users?
> may be i can set a rate limit for it?

Check your mail-server config - rate limits and such are probably best
done there.


/Per Jessen, Zürich

As far as I know, there's no way you can do this via PHP.

PHP doesn't "know" about users on the system. Generally, PHP is run as an
apache module, and thus the scripts are run as the user apache is running
as.

So to start with, you'd probably need to be running a Fast CGI + SuExec
setup or something similar.

I'm not sure how, or if there is a way to do this in postfix. The mail()
function calls the sendmail binary, so one sort of hackish way might be to
move this binary and write a wrapper script that keeps track of per-user
rate limits, and then invokes the real sendmail binary. Of course, in this
case, you'd also probably want to make sure the real sendmail binary
couldn't be executed and that users could not write to the file that keeps
track of the rate-limit.

-- Greg

On Tue, Apr 8, 2008 at 12:37 PM, Jordi Moles <jordi@cdmon.com> wrote:

> hello everyone,
>
> first of all... i'm sorry if this has been asked like a million times
> before... but i've been looking for info about this and found nothing so
> far.
>
> anyway....
>
> I've got a server with apache2 and postfix and php5 providing hosting to
> some clients. I've got this big problem about clients sending spam
> massively, either consciously or because they website have been hacked. The
> main way to spam is by using the "mail()" function.
> So far, i've only found how to disable the use of the mail() function
> completely in the php.ini file, but it's not a really good option to me,
> cause i run some server scripts to check for some things and they send some
> mails when they find something wrong.
>
> So... i would like to know what options i have if i want to limit this
> function...
>
> can i disable the function only for some users?
> may be i can set a rate limit for it?
>
> thanks.
>
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

Greg Bowser wrote:

> I'm not sure how, or if there is a way to do this in postfix. The
> mail() function calls the sendmail binary, so one sort of hackish way
> might be to move this binary and write a wrapper script that keeps
> track of per-user rate limits, and then invokes the real sendmail
> binary.

Pardon me, but that's one kludgy idea - postfix has rate-limitation
facilities you can use for this.


/Per Jessen, Zürich

>Pardon me, but that's one kludgy idea

Hence my use of the term hackish. But really, is isn't all that
kludgy. An software solution that implements this natively would have
to keep track of the stats somehow; undoubtely via some sort of stats
file. So the real difference is that two processes are run, instead of
one. Yet, by the same "wrapper" logic, is it not kludgy that php
invokes the sendmail binary, instead of using some sort of native php
implementation? And again, by the same logic, the sendmail binary
that comes with many MTAs is simply a wrapper to allow normal sendmail
usage.


>postfix has rate-limitation facilities you can use for this

I'm aware of several configuration directives that limit rate, none of
which directly limit the send rate local users. Perhaps some kludgly
or elusive trick involving multiple options would do the trick; I
don't claim to be a postfix expert. Perhaps, instead of making empty
statements, you might choose to enlighten me as per the exact
configuration that will accomplish this.

Of course, I spent some time googling, but it appears that not too
many people know (or at least write about) how to implement such
functionality. I did manage to find two interesting items in my
searches:

http://www.postfix.org/anvil.8.html
http://www.opennix.com/email/postfix...ratelimit.html

The former doesn't appear to be magical, and from what my limited and
apparently klugdy thoughts permit me to deduce, it seems to bear,
conceptually, at least a degree (Celsius, mind you) of similarity to
the aforementioned kludgy statistics idea... I didn't find any
documentation regarding the implementation of anvil. And the latter,
well that's not even a native postfix solution, so apparently, I have
failed to find the alleged rate-limitation.

All cynical, superficial, and sarcastic storming somewhat consummate,
I can at last take solace knowing that I would, had you _suggested_ a
better solution, or had I not, kludgy though it apparently was, put
some effort into finding a solution, pardoned you.

And with the sarcasm, sincerity, and cynicism now accomplished, permit
me to offer my most sincere apologies for the above rude, and overly
verbose post.

-- Greg

On Tue, Apr 8, 2008 at 3:51 PM, Greg Bowser <topnotcher@gmail.com> wrote:
> >postfix has rate-limitation facilities you can use for this
>
> I'm aware of several configuration directives that limit rate, none of
> which directly limit the send rate local users. Perhaps some kludgly
> or elusive trick involving multiple options would do the trick; I
> don't claim to be a postfix expert. Perhaps, instead of making empty
> statements, you might choose to enlighten me as per the exact
> configuration that will accomplish this.
>
> Of course, I spent some time googling, but it appears that not too
> many people know (or at least write about) how to implement such
> functionality.

Not being a sysadmin I can't tell you HOW to do it, but I can tell you
that nearly every shared-hosting service I have worked with implements
some level of throttling such that an account on that machine cannot
send more than some set number of messages per hour whether directly
through local SMTP or through sendmail, mail(), etc., so I know it CAN
be done, and it appears that more than a few people know how to do it.

Andrew

hi,

thanks for all your opinions and suggestions, i'll have a look at all of
them to see if i can implement a restricted system for mail() functions.

I'll report back in a few days to let you know if i've come up with
something that really works.

Thanks for all.

En/na Andrew Ballard ha escrit:
> On Tue, Apr 8, 2008 at 3:51 PM, Greg Bowser <topnotcher@gmail.com> wrote:
>
>> >postfix has rate-limitation facilities you can use for this
>>
>> I'm aware of several configuration directives that limit rate, none of
>> which directly limit the send rate local users. Perhaps some kludgly
>> or elusive trick involving multiple options would do the trick; I
>> don't claim to be a postfix expert. Perhaps, instead of making empty
>> statements, you might choose to enlighten me as per the exact
>> configuration that will accomplish this.
>>
>> Of course, I spent some time googling, but it appears that not too
>> many people know (or at least write about) how to implement such
>> functionality.
>>
>
> Not being a sysadmin I can't tell you HOW to do it, but I can tell you
> that nearly every shared-hosting service I have worked with implements
> some level of throttling such that an account on that machine cannot
> send more than some set number of messages per hour whether directly
> through local SMTP or through sendmail, mail(), etc., so I know it CAN
> be done, and it appears that more than a few people know how to do it.
>
> Andrew
>
>