manage outgoing spam via php mail()

Driesp

Verified User
Joined
Mar 12, 2007
Messages
195
Location
Belgium
Hi all

I am wondering how different hosting providers are managing outgoing spam sent from their servers.
In other words; what do you do to limit or remedy this spam issue?

Many clients use the mail() command to sent contact form messages (many to their hotmail) (and ofcourse many are spam).
Wordpress (and others) use the mail() command to notify clients about a new (spam) message commented on a public topic. And so on..
Clients struggle very much to set up a working captcha. It is a hell to manage, and to follow up on them.
I have told many to stop using a contact form altogether or if really necessary set up their own (protected) RSS feed. They don't understand, and it is 'support heavy' to explain.

I have heard of providers disabling outgoing messages sent from websites towards external e-mail addresses.
They only allow these messages to be sent to a mailbox hosted inside their own network.
Maybe this is what I want to achieve, I don't know yet.
I also don't know how clients will accept this if this kind of limitation is implemented.

Using an e-mail address whitelist could be something if we can whitelist our own hosted domains.

Using an outgoing spamfilter is maybe not what I want to do, because its not watertight.
 
Many clients use the mail() command to sent contact form messages (many to their hotmail) (and ofcourse many are spam).
Yeah bad idea. If we get on a Microsoft grey or blacklist, or any other blacklist due to contact forms, we urge our users to use smtp mail for their forums and if possible use their domain mail account. But often i just advise them that best is to create a contact page without form and just their email address (not clickable if possible).
When using Wordpress, there are "kant en klare" captcha options, like also with Contact Form 7, which I sometimes advise to my customers.

We have thought to limit outgoing mail to smtp, but since we don't have hundreds of accounts on the server, and the abuse is not that much, we decided not to do that for the time being.

We do however monitor strictly, get messages from Munin and DA when too much mail is going out, and we use the DA send limits, and also the
disable_php_script_at_limit_minimum and disable_php_script_at_limit_threshold to catch spam due to mail hacks or this kind of abuses. Settings these limits can take a bit of tuning and monitoring in the beginning.
As soon as we see it happening, we suspend the account to see where it's coming from and tell the customer to fix it.

There is also a whitelist option as far as I know.
There are also people using external services like spamexperts, which can also only be used for outgoing mail if wanted. It might not be watertight, however, it might limit the amount of times getting on a greylist. I don't know, never worked with external anti spam party's yet.
 
Hi Richard

I totally agree with you. Thank you for your message.

After some tought, I am propably looking for a serverwide captcha solution that sanitise all POST requests on apache.
I have seen solutions specifically for wp-login.php, but only for GET requests and for that specific page.
I am looking for a server wide solution, and for all POST requests working with apache.

Kr
Dries
 
I have programmed a system wide captcha that redirects all POST requests via my captcha validation page.
It is not based on recaptcha, I have fixed something easy myself: the sum of two numbers. (example: What is the sum of 'two' and 'fourteen') and a dropdown to chose from. I suspect no bot expects this question and a dropdown, so I think it will be easy for a human and difficult for a bot.
I have found code on this forum, and changed it to my liking.

I have developed all day today, so it is still very alpha.
It works for all POST requests on wordpress (contactpage, loginpage, comments page,...), joomla, drupal.
Except for json based POST requests (=> prestashop, or a shop based on joomla). I don't know yet if I can somehow fix this.
But the client can disable it if it does not work.
 
Oh that sounds marvelous Dries. A system wide captcha with own questions is superb.
I always use own questions when configuring forums too because bots have a hard issue on those. And especially with a drop down this will limit problems to human spammers because bots will have a very hard one on that.

But I'm getting very curious now about something. If this is serverwide, how does this get triggered? Because I presume this is ment for contact forms. But support somebody has a forum like phpBB and is using php mail() to send out mail. This won't interfere then I presume? That is not using a POST request?

I'm no programmer, so maybe my question sounds a bit odd, but that's because I don't know how this works.

I'll further keep out of the thread in the hope somebody can help you with the json based POST request, I wish I could help you with that but unfortunately, totally no knowledge of those kind of things.
 
I will post the scripts today, I am still fixing little bugs.

It works with mod_rewrite.
You will have to configure these rules for all virtualhosts (in custom config)
These rules have a condition that checks whether it is a POST request,
and it excludes IP addresses that are already succesfully validated.

If above conditions are correct, it will redirect the request to my captcha page.
My captcha page stores all the posted values (in hidden form fields on the same page) and asks the visitor to resolve the captcha, if it is correct,
it will store the visitor's IP and will then ask the visitor to POST again towards the original url 'like nothing happened' it will also try to let javascript submit it.
No cookies are used.

Logic = magic :)

Update: I have created a new topic for this here: https://forum.directadmin.com/threads/serverwide-post-captcha-validation.65426/
 
Last edited:
Back
Top