PHP Mail() Abuse

Recently came up against a bit of a tough nut to crack, so to speak, and thought I’d write up a quick blog about how I fixed it, in case anyone else has this problem. At MRX, we have several different hosting environments we use, one of which is a shared environment for our smaller clients. The problem being that one of those clients had a vulnerability on their site that was allowing spammers to send unauthorized e-mail through our servers, thereby getting us onto a whole bunch of blacklists.

After a bit of searching around, it seems as though its actually possible to completely disable the mail() function from PHP, however, that was only a temporary solution. This is simply a matter of adding

disable_functions "mail"

to the php.ini file and reloading the apache configs.

While I searched for an actual solution to the problem, I came up with the idea of attempting to use a php_admin_value flag value to disable e-mail for a specific virtual host inside the htaccess files until I was able to determine which was the offending site. Again – brick wall – PHP doesn’t support setting disable_functions in the php_admin_value flag.

So, after a bit of searching, I decided to just add the following to each site’s .htaccess files:

php_admin_value sendmail_path "/dev/null"

Essentially sending all e-mail to /dev/null for that particular site. Perhaps not the most elegant solution, but it was effective, as we are no longer sending e-mail through a broken form and I was able to alert the affected client that they had a problem.