virus sent vie webmail running on Apache

Hello,

I currently use a simple php webmail form with php's mail() function
doing the work to send messages to the site owner.

However, viruses are being sent via the form.

I tried adding a basic colaboration of amavis-new, ClamAV and
spamassasin, but that filter does not seem to catch them. I assume they
are injected into the Postfix process too late.

Any idea how I can eliminate this?

thanks
Joe

Joe wrote:
> Hello,
>
> I currently use a simple php webmail form with php's mail() function
> doing the work to send messages to the site owner.
>
> However, viruses are being sent via the form.
>
> I tried adding a basic colaboration of amavis-new, ClamAV and
> spamassasin, but that filter does not seem to catch them. I assume they
> are injected into the Postfix process too late.
>
> Any idea how I can eliminate this?

The data you get to the mail() from the "FROM" input box has to be stripped
from injected headers.

A really simple check for injection is to

$newfrom=erege_replace("[\r\n]","",$from);
if($newfrom==$from) {
mail(...);
} else {
//header had injected data, don't send it
}

--

//Aho

On May 8, 12:21 am, "J.O. Aho" <u...@example.net> wrote:
> Joe wrote:
> > Hello,
>
> > I currently use a simple php webmail form with php's mail() function
> > doing the work to send messages to the site owner.
>
> > However, viruses are being sent via the form.
>
> > I tried adding a basic colaboration of amavis-new, ClamAV and
> > spamassasin, but that filter does not seem to catch them. I assume they
> > are injected into the Postfix process too late.
>
> > Any idea how I can eliminate this?
>
> The data you get to the mail() from the "FROM" input box has to be stripped
> from injected headers.
>
> A really simple check for injection is to
>
> $newfrom=erege_replace("[\r\n]","",$from);
> if($newfrom==$from) {
> mail(...);} else {
>
> //header had injected data, don't send it
>
> }
>
> --
>
> //Aho

Of course str_replace works just as well and is probably faster:

$newfrom = str_replace(array("\r", "\n"), '', $from);

On May 7, 7:57 pm, Joe <j_ev...@upfronttechnology.com> wrote:
> Hello,
>
> I currently use a simple php webmail form with php's mail() function
> doing the work to send messages to the site owner.
>
> However, viruses are being sent via the form.
>
> I tried adding a basic colaboration of amavis-new, ClamAV and
> spamassasin, but that filter does not seem to catch them. I assume they
> are injected into the Postfix process too late.
>
> Any idea how I can eliminate this?
>
> thanks
> Joe

PHP uses either the system's sendmail wrapper or SMTP depending on
your php environment, server OS, and php.ini settings. The SMTP
version of mail() is only available on Windows systems. In your case,
using mail() is the same as sending the mail message via sendmail from
a shell. This means that the mail is injected into the postfix queue
after the after-queue content filter. Your best bet for a workaround
is to use the PHPMailer or PEAR Mail packages to send your messages
via SMTP to localhost.

Good luck!

Joshua

On 8 May, 00:57, Joe <j_ev...@upfronttechnology.com> wrote:
> Hello,
>
> I currently use a simple php webmail form with php's mail() function
> doing the work to send messages to the site owner.
>
> However, viruses are being sent via the form.
>
> I tried adding a basic colaboration of amavis-new, ClamAV and
> spamassasin, but that filter does not seem to catch them. I assume they
> are injected into the Postfix process too late.
>
> Any idea how I can eliminate this?
>

Holy moley, you're letting users upload files into emails on your
website then sending them using mail() !!!!

....and you wonder why you've got problems?

Really, the question you're asking has nothing at all to do with PHP -
unless you want to use PHP to launch clamscan on uploaded files before
attaching them to emails (but bear in mind that anyone out to be
malicious could always incorporate uuencded data inline).

Clam + postfix worked a trick for me using clamsmtp. Its been a while
since I looked at amavis - but even then it wasn't as bad as a lot of
commercial AV tools.

I'd try asking on a more apposite (i.e. amavis or postfix) newsgroup.

C.

On May 15, 5:34 pm, "C." <colin.mckin...@gmail.com> wrote:
> On 8 May, 00:57, Joe <j_ev...@upfronttechnology.com> wrote:
>
> > Hello,
>
> > I currently use a simple php webmail form with php's mail() function
> > doing the work to send messages to the site owner.
>
> > However, viruses are being sent via the form.
>
> > I tried adding a basic colaboration of amavis-new, ClamAV and
> > spamassasin, but that filter does not seem to catch them. I assume they
> > are injected into the Postfix process too late.
>
> > Any idea how I can eliminate this?
>
> Holy moley, you're letting users upload files into emails on your
> website then sending them using mail() !!!!
>
> ...and you wonder why you've got problems?
>
> Really, the question you're asking has nothing at all to do with PHP -
> unless you want to use PHP to launch clamscan on uploaded files before
> attaching them to emails (but bear in mind that anyone out to be
> malicious could always incorporate uuencded data inline).
>
> Clam + postfix worked a trick for me using clamsmtp. Its been a while
> since I looked at amavis - but even then it wasn't as bad as a lot of
> commercial AV tools.
>
> I'd try asking on a more apposite (i.e. amavis or postfix) newsgroup.
>
> C.

If you send your php mail via SMTP to your mail server instead of
using mail() it will travel the same path that inbound mail takes.
So . . . . if you have postfix set to use a before/after queue content
filter, your php mail will be filtered as well.