Stop PHP nobody Spammers Published: Apr 07, 2005
  • Rating

    3/5

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Stop PHP nobody Spammers

Update: May 25, 2005:
- Added Logrotation details
- Added Sample Log Output

PHP and Apache has a history of not being able to track which users are sending out mail through the PHP mail function from the nobody user causing leaks in formmail scripts and malicious users to spam from your server without you knowing who or where.

Watching your exim_mainlog doesn't exactly help, you see th email going out but you can't track from which user or script is sending it. This is a quick and dirty way to get around the nobody spam problem on your Linux server.

If you check out your PHP.ini file you'll notice that your mail program is set to: /usr/sbin/sendmail and 99.99% of PHP scripts will just use the built in mail(); function for PHP - so everything will go through /usr/sbin/sendmail =)

Requirements:
We assume you're using Apache 1.3x, PHP 4.3x and Exim. This may work on other systems but we're only tested it on a Cpanel/WHM Red Hat Enterprise system.

Time:
10 Minutes, Root access required.

Step 1)
Login to your server and su - to root.

Step 2)
Turn off exim while we do this so it doesn't freak out.
/etc/init.d/exim stop

Step 3)
Backup your original /usr/sbin/sendmail file. On systems using Exim MTA, the sendmail file is just basically a pointer to Exim itself.
mv /usr/sbin/sendmail /usr/sbin/sendmail.hidden

Step 4)
Create the spam monitoring script for the new sendmail.
pico /usr/sbin/sendmail

Paste in the following:


#!/usr/local/bin/perl

# use strict;
 use Env;
 my $date = `date`;
 chomp $date;
 open (INFO, ">>/var/log/spam_log") || die "Failed to open file ::$!";
 my $uid = $>;
 my @info = getpwuid($uid);
 if($REMOTE_ADDR) {
         print INFO "$date - $REMOTE_ADDR ran $SCRIPT_NAME at $SERVER_NAME n";
 }
 else {

        print INFO "$date - $PWD -  @infon";

 }
 my $mailprog = '/usr/sbin/sendmail.hidden';
 foreach  (@ARGV) {
         $arg="$arg" . " $_";
 }

 open (MAIL,"|$mailprog $arg") || die "cannot open $mailprog: $!n";
 while (<STDIN> ) {
         print MAIL;
 }
 close (INFO);
 close (MAIL);


Step 5)
Change the new sendmail permissions
chmod +x /usr/sbin/sendmail

Step 6)
Create a new log file to keep a history of all mail going out of the server using web scripts
touch /var/log/spam_log

chmod 0777 /var/log/spam_log

Step 7)
Start Exim up again.
/etc/init.d/exim start

Step 8)
Monitor your spam_log file for spam, try using any formmail or script that uses a mail function - a message board, a contact script.
tail - f /var/log/spam_log

Sample Log Output

Mon Apr 11 07:12:21 EDT 2005 - /home/username/public_html/directory/subdirectory -  nobody x 99 99   Nobody / /sbin/nologin

Log Rotation Details
Your spam_log file isn't set to be rotated so it might get to be very large quickly. Keep an eye on it and consider adding it to your logrotation.

pico /etc/logrotate.conf

FIND:
# no packages own wtmp -- we'll rotate them here
/var/log/wtmp {
    monthly
    create 0664 root utmp
    rotate 1
}

ADD BELOW:

# SPAM LOG rotation
/var/log/spam_log {
    monthly
    create 0777 root root
    rotate 1
}



Notes:
You may also want to chattr + i /usr/sbin/sendmail so it doesn't get overwritten.

Enjoy knowing you can see nobody is actually somebody =)

Thanks to MattF and others who worked on this.

  • Rating

    3/5

Related Articles

Comments (58)

  • Gravatar - Jerry404
    Jerry404 08:41, April 10, 2005
    Could you put example spam_log output? I think i got it to work on Redhat9/Cpanel system, however information recorded seems to be limited to Date/Location of the script. Which is a lot anyway, howeve rlooking at the $variables in the script I expected more info.
  • Gravatar - VexT
    VexT 18:57, April 13, 2005
    Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - -<br />
    Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - -<br />
  • Gravatar - Haloweb
    Haloweb 14:06, April 14, 2005
    I tried to get this working on Redhat9/Cpanel but although it recorded all the php sendmail attempts it was not sending the actual mail - any ideas ?
  • Gravatar - ScottsdaleHosting
    ScottsdaleHosting 09:59, April 19, 2005
    Haloweb,<br />
    <br />
    Did you move the original /usr/sbin/sendmail to /usr/sbin/sendmail.hidden exactly as it stated in the tutorial. You have to rename your actual sendmail file to sendmail.hidden because the new spam catching sendmail script is calling upon sendmail.hidden to actually do the delivering of the message.
  • Gravatar - VexT
    VexT 07:15, May 1, 2005
    The spam_log doesn't seem to have any line breaks. Great stuff especially if that could be addressed.
  • Gravatar - Snowman
    Snowman 11:38, May 2, 2005
    Great tute.<br />
    <br />
    For adding the log to logrotate will the following work?<br />
    <br />
    /var/log/spam_log {<br />
    missingok<br />
    postrotate<br />
    endscript<br />
    }<br />
    <br />
    and if so should this be added to the bottom of logrotate.conf or to the /etc/logrotate.d/exim file????
  • Gravatar - Snowman
    Snowman 03:14, May 14, 2005
    Unfortunately this hack stopped working for no apparent reason after about 24 hours, all mail was lost wiht nothign getting thru at all until i removed it :(<br />
    <br />
    Its a pity cause it was a great idea.
  • Gravatar - Steve
    Steve 03:38, May 17, 2005
    Did you ensure you did <br />
    chattr + i /usr/sbin/sendmail<br />
    and also check the permissions? It sounds like Cpanel did an automatic update and overwrote your changes.
  • Gravatar - Craig
    Craig 18:07, May 22, 2005
    Hello<br />
    <br />
    This is a nice tutorial, but some things: <br />
    <br />
    (1) If we are disabling the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code? This has not been addressed. If we clearly specify the SMTP.MYDOMAIN.COM in our PHP code, will that work?<br />
    <br />
    (2) How exactly can we add the EXIM file to logrotate? I use cPanel 10.0.0-R161 . <br />
    <br />
    Thanks, and if you reply, kindly send a note to my email address as well. <br />
    <br />
    CM
  • Gravatar - Steve
    Steve 17:21, May 25, 2005
    You can add the following to get it rotating.<br />
    <br />
    pico /etc/logrotate.conf<br />
    <br />
    # SPAM LOG rotation<br />
    /var/log/spam_log {<br />
    monthly<br />
    create 0777 root root<br />
    rotate 1<br />
    }<br />
    <br />
    Article updated with this as well.
  • Gravatar - Andrew
    Andrew 16:50, June 1, 2005
    As someone mentioned, can line breaks be added to make the logs more readable?<br />
    <br />
    Thanks.
  • Gravatar - Andrew
    Andrew 17:58, June 2, 2005
    **UPDATE** this tutorial does not work!! It will break the PHP mailer function, no mail got delivered for any of our clients while using this hack.<br />
    <br />
    Andrew
  • Gravatar - Vincent
    Vincent 22:29, June 13, 2005
    To add the linebreak, simply change<br />
    <br />
    print INFO "$date - $PWD - @infon";<br />
    <br />
    to<br />
    <br />
    print INFO "$date - $PWD - @infon /n/n";
  • Gravatar - Mak
    Mak 02:02, June 16, 2005
    it working fine, but there should be more enhancement, How about destination email <br />
    and what about generating rss feed of new spams?
  • Gravatar - Mark
    Mark 02:20, June 16, 2005
    How about more improvment like <br />
    1) Destination email <br />
    2) user<br />
    3) script path<br />
    and then generating RSS file of the result <br />
    would it be cool and useful ?<br />
  • Gravatar - mic
    mic 06:45, June 16, 2005
    I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail - any ideas ?
  • Gravatar - Susan
    Susan 06:51, June 16, 2005
    I tried to get this working on Redhat9 but although it recorded all the php sendmail attempts it was not sending the actual mail and not restart sendmail
  • Gravatar - PHP
    PHP 22:52, June 25, 2005
    When running this:<br />
    chattr + i /usr/sbin/sendmail<br />
    <br />
    It gives:<br />
    chattr: No such file or directory while trying to stat i<br />
    <br />
    I have verified that the file exists by opening it.<br />
    <br />
    What can be done?
  • Gravatar - dt
    dt 11:47, July 3, 2005
    To PHP: just remove the space between + and i and it will work.
  • Gravatar - behzad
    behzad 15:17, July 9, 2005
    This hack only delivers to local emails. an error occuring when try to send mail out, like yahoo mail:<br />
    <br />
    xxxxx@yahoo.com R=fail_remote_domains: unrouteable<br />
    mail domain "yahoo.com"<br />
    <br />
  • Gravatar - ogy
    ogy 22:55, July 12, 2005
    it would be chattr +i /usr/bin/sendmail
  • Gravatar - MCT
    MCT 22:20, July 24, 2005
    PHP -- get rid of the space between the + and the i, should look like:<br />
    chattr +i /usr/sbin/sendmail<br />
    <br />
    Got this working well, but started getting these silly messages like "- - user x 33333 33334 /home/user /usr/local/cpanel/bin/noshell" in the log file. Little snooping and it turned out to be message forwards to emails on the same server set up by clients in cpanel. Very scary at first, as it looks like spammer activity!
  • Gravatar - someone
    someone 09:49, July 31, 2005
    You people do know that this is VERY insecure and not properly written, right?<br />
    <br />
    Do me a favor and just do this as root:<br />
    <br />
    perl -le 'print getpwudi($<);'<br />
    <br />
    You will see roots password hash.<br />
    <br />
    perl -le '$,=":"; @info = getpwnam((getpwuid($<))[0]); delete(@info[1]); print @info;'<br />
    root::0:0:::root:/root:/bin/bash<br />
    <br />
    well well, isn't that better.<br />
    <br />
    and what's up with this 0777 crap? sense when does a logfile need to have execute permissions anyways?<br />
    <br />
    What needs to be done here is use the syslog facility.<br />
    <br />
    Please people, do not blindly use scripts from the internet without knowing what they are doing first.
  • Gravatar - Stephen
    Stephen 20:48, September 5, 2005
    How can i uninstall this script?<br />
    <br />
    My clientexec script stop sending invoice...
  • Gravatar - Yujin
    Yujin 08:28, September 9, 2005
    To uninstall the script, do<br />
    <br />
    rm -f /usr/sbin/sendmail<br />
    mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail<br />
  • Gravatar - M.A
    M.A 12:00, October 5, 2005
    I cannot send a mail from PHP program with mail() function .<br />
    <br />
    What should I do ?
  • Gravatar - Taz
    Taz 01:25, October 21, 2005
    Mine logs aswell ( not cleanly no line breaks) but the email doesnt get delivered. plz help
  • Gravatar - hz
    hz 00:01, October 26, 2005
    I can´t see anymore spam_log, only appears: - - - - - instead /home/user/script.cgi
  • Gravatar - Thomas
    Thomas 17:49, November 22, 2005
    Hi<br />
    hmm, I just implemented your script and it is working perfectly. thanks<br />
    <br />
    The output I have is like<br />
    Tue Nov 22 17:29:20 CET 2005 - 127.0.0.1 ran at xx.xx.xxx.xx n<br />
    (only hide my ip)<br />
    could somebody explain me what that means?
  • Gravatar - Tamouh
    Tamouh 03:53, November 24, 2005
    Additionally, you can monitor EXIM logs and find out which script path initiated the spam by adding this line in the start of your EXIM config file (This should be al in one line):<br />
    <br />
    log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error<br />
  • Gravatar - emeric Olenga
    emeric Olenga 12:57, November 30, 2005
    how to clean up tail - f /var/log/spam_log when is big?
  • Gravatar - Bhavik
    Bhavik 12:47, December 2, 2005
    If we are disable the NOBODY user, then how exactly should we modify out MAIL() functions in PHP code. Can anybody help me out?
  • Gravatar - Lukas
    Lukas 15:41, December 20, 2005
    i got a logs like this one: how i can locate a spammer ?<br />
    <br />
    myip nTue Dec 20 14:32:46 CET 2005 - 83.29.68.195 ran at<br />
    myip nTue Dec 20 14:33:12 CET 2005 - 83.29.68.195 ran at<br />
    myip nTue Dec 20 14:33:19 CET 2005 - 83.29.68.195 ran at<br />
  • Gravatar - Cem
    Cem 18:57, December 29, 2005
    Hi,<br />
    <br />
    Thank you for that great tutorial. Can you make it more advanced?
  • Gravatar - SAINT
    SAINT 03:54, January 22, 2006
    If you are running Cpanel you can do the same thing clicking "tweak settings" under Server Configurations. This fixed the Spam problem and did not break the mail scripts.<br />
  • Gravatar - jayesh
    jayesh 09:23, February 21, 2006
    please reply this query <br />
    <br />
    i m using mail function to send mails in php they get sent in bulk folder.<br />
    i want to send them in inbox <br />
    how do i do <br />
    help????<br />
  • Gravatar - Hitesh Kachru
    Hitesh Kachru 20:16, February 26, 2006
    Can this be done on Qmail with Plesk CP. How to do this in Qmail?
  • Gravatar - kailas
    kailas 08:38, April 5, 2006
    but how will I know that there is PHP nobody Spammers and I have to do the above . please assist me with this
  • Gravatar - Prabash32
    Prabash32 16:30, April 9, 2006
    This article is of great use for us...<br />
    working fine on our servers...<br />
    mmmmmm Great..!!!!!!!!!<br />
    <br />
    <br />
    Thanks<br />
  • Gravatar - Nixon Girard
    Nixon Girard 23:24, April 16, 2006
    SENSATIONAL
  • Gravatar - codeunix
    codeunix 16:26, April 29, 2006
    i have a big problem, i cant send any email, i get Mail delivery system error that emai lwas not delivered, please help me out :(<br />
    <br />
    thanks
  • Gravatar - bobby
    bobby 12:36, May 15, 2006
    hi,<br />
    just curiose, why do i see sendmail processes for users even if they have no script installed that use sendmail?<br />
    <br />
    Thanks
  • Gravatar - ME
    ME 18:02, May 16, 2006
    I get this error when i log as root<br />
    /usr/sbin/sendmail: Exec format error
  • Gravatar - Me
    Me 21:12, May 31, 2006
    Yujin <br />
    To uninstall the script, do<br />
    <br />
    rm -f /usr/sbin/sendmail<br />
    mv /usr/sbin/sendmail.hidden /usr/sbin/sendmail<br />
    ============================<br />
    <br />
    rm: cannot remove `/usr/sbin/sendmail': Operation not permitted<br />
    root@home [~]#<br />
    <br />
    any soluation ???<br />
  • Gravatar - Steve
    Steve 01:34, June 1, 2006
    chattr -i sendmail myabe?<br />
    Or try lsattr sendmail to see if it has any special permissions set. You might have to shut down the mail server beforeyou can remove it if a process is using that it won't be able to remove.
  • Gravatar - Richard
    Richard 16:09, June 21, 2006
    Has anyone tried the above changes using Dovecot, instead of sendmail? I can't really find info about that :-(
  • Gravatar - justin
    justin 07:18, July 10, 2006
    The idea is great. But nobone has futher explained the need for 0777 for the logs.<br />
    isn't that a point.(by someone)<br />
    <br />
    :)<br />
    <br />
  • Gravatar - Rafal
    Rafal 02:17, February 3, 2007
    Great article! Im using this on every my server
  • Gravatar - Edward
    Edward 23:07, April 23, 2007
    I cant get this to log or send mail out. It just fails! Anyone got any experience as to why?<br />
    <br />
    System: Fedora Core 3<br />
    Mail: Postfix
  • Gravatar - abdalla
    abdalla 19:31, July 26, 2007
    it`s not working<br />
    <br />
    not secure<br />
    <br />
    just read ur exim logs and throw it away<br />
    <br />
    bye
  • Gravatar - ldaap
    ldaap 08:38, September 24, 2007
    This script does not work with plesk panel, becouse when i implemented the server stop send emails by this way
  • Gravatar - behnam sarfarazi
    behnam sarfarazi 15:07, December 12, 2007
    how i can to know who is spammer in the log ?
  • Gravatar - Dennis
    Dennis 21:54, December 14, 2007
    Great script. Works for all my servers, except for the new one.<br />
    <br />
    The new one with newest Plesk/Qmail will fail to send mail using this script.
  • Gravatar - matt
    matt 19:22, February 7, 2008
    This looks a bit outdated, but the script has a few errors.<br />
    <br />
    Please note @infon looks as though it should be @info\n <note the slash in front of the trailing n. It looks like the html does not display the slashes.
  • Gravatar - Edward
    Edward 00:37, April 27, 2008
    Hi,<br />
    <br />
    I'm trying to add the line break in the spam log, But it is not working. I changed the line:<br />
    print INFO "$date - $PWD - @infon";<br />
    to<br />
    print INFO "$date - $PWD - @infon /n/n";<br />
    But not working. :-(<br />
    <br />
    Also can we see the exact script/file name in the log like the one described by VexT<br />
    <br />
    VexT<br />
    Wed Apr 13 12:45:01 EDT 2005 - 69.x.x.x ran ./horde/imp/compose.php at www.website.org n - - - -<br />
    Wed Apr 13 12:47:39 EDT 2005 - 209.x.x.x ran /process.php at www.website.com n - -<br />
    <br />
    I am only getting only the corresponding directory and not file. Please see the results from my server:<br />
    <br />
    # tail -f /var/log/spam_log<br />
    Sun Apr 27 01:16:54 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - /home/rbeg/public_html/err - Sun Apr 27 01:17:01 EEST 2008 - / - Sun Apr 27 01:17:40 EEST 2008<br />
    <br />
    Please advice.<br />
    <br />
    Thanks.
  • Gravatar - Randy Henderson
    Randy Henderson 02:21, November 19, 2008
    This seems dated, none of the "this works great" comments had a date (the last one said Apr 27 from the logs but who knows what year). Since cPanel 11 I am not sure this would work.<br />
    <br />
    But the jewel in reading all this was Tamouh's post. This works great with putting who sent the email through the exim log where it should be.<br />
    <br />
    The only difference between what Tamouh post and what I am using is I also added +subject to my configuration.<br />
    <br />
    November 2008
  • Gravatar - J. ADAM
    J. ADAM 03:20, March 17, 2010
    I'm newbe here on that, how can see the log file where???<br />
    no idea <br />
    thank you for help me
  • Gravatar - Andras
    Andras 17:02, September 29, 2010
    For those who have trouble sending mail after installing this script:

    1) sendmail IS the program that mails the mails
    2) you replace that program with a script that instead of sending the mail writes a log of who is sending
    3) this way you can see WHO is sending
    4) after you killed off that WHO you should remove the script and restore the original sendmail file so that it can send the mails
    5) you should also probably empty the queue if it is full of spam

Add Your Thoughts

WebHostGear.com is a hosting directory, not a web host.

Copyright © 1998-2017 WebHostGear.com