On 24 Oct 2016, at 12:29, Allen Coates wrote:
Over the weekend I had three spam messages get through to my in-box.
Two
contained an "X-PHP-Script" header
one was
X-PHP-Script:
folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
for 110.83.63.152
and the other
X-PHP-Script:
118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
for 110.83.62.203
I suppose I could block them using header_checks, but first, does
anybody know what they (are supposed to) do? I have not encountered
them before.
They are added by the PHP mail() function (if the active PHP config has
them turned on) as a weak but surprisingly useful way for web server
admins to identify exactly where some spam-sending malware has been
deployed. This is a weak tool in theory because a script can effectively
clobber the pathname component, but apparently the folks writing that
class of malware include examples of "any moron can write working PHP"
because I still see these with apparently real values (as above) in spam
at a substantial rate despite this feature existing for over a decade.
I wouldn't advise using the existence of a X-PHP-Script header as an
absolute reason to block mail. In my personal archives I have 30
entirely legitimate, desired messages with that header and 173 spam. In
a workplace account which gets essentially no spam I have no spam with
it in the past 8 years, during which I've received dozens (maybe
hundreds) of absolutely non-spam messages with X-PHP-Script headers
generated by various tools that use PHP (e.g. MediaWiki page change
notices) and from external sources. The content of a X-PHP-Script header
can be useful in more complex filtering systems (e.g. SpamAssassin)
because the spamware scripts often hide themselves in odd directories
like /tmp, /images, and frequently claim to be triggered from IPs that
bear no relationship to the source host (like the above: consumer
broadband IPs in Fuqing, Fujian, China.) You can't do that sort of
analysis in Postfix itself.
