Many thanks for your explanation. And here was I, thinking I had found a new spam-killer. :-(
Allen C On 25/10/16 00:35, Bill Cole wrote: > On 24 Oct 2016, at 12:29, Allen Coates wrote: > >> >> Over the weekend I had three spam messages get through to my in-box. Two >> contained an "X-PHP-Script" header >> >> one was >> X-PHP-Script: >> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php >> >> for 110.83.63.152 >> >> and the other >> X-PHP-Script: >> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php >> >> for 110.83.62.203 >> >> I suppose I could block them using header_checks, but first, does >> anybody know what they (are supposed to) do? I have not encountered >> them before. > > They are added by the PHP mail() function (if the active PHP config > has them turned on) as a weak but surprisingly useful way for web > server admins to identify exactly where some spam-sending malware has > been deployed. This is a weak tool in theory because a script can > effectively clobber the pathname component, but apparently the folks > writing that class of malware include examples of "any moron can write > working PHP" because I still see these with apparently real values (as > above) in spam at a substantial rate despite this feature existing for > over a decade. > > I wouldn't advise using the existence of a X-PHP-Script header as an > absolute reason to block mail. In my personal archives I have 30 > entirely legitimate, desired messages with that header and 173 spam. > In a workplace account which gets essentially no spam I have no spam > with it in the past 8 years, during which I've received dozens (maybe > hundreds) of absolutely non-spam messages with X-PHP-Script headers > generated by various tools that use PHP (e.g. MediaWiki page change > notices) and from external sources. The content of a X-PHP-Script > header can be useful in more complex filtering systems (e.g. > SpamAssassin) because the spamware scripts often hide themselves in > odd directories like /tmp, /images, and frequently claim to be > triggered from IPs that bear no relationship to the source host (like > the above: consumer broadband IPs in Fuqing, Fujian, China.) You can't > do that sort of analysis in Postfix itself. > >
