Security Guide: Find and Secure Rogue PHP Mail Scripts

What is a rogue mail script?

A mailer script is a server-side script which allows a website visitor to send an e-mail message. The most common mail script configuration will include an HTML form and a PHP script which accepts either $_GET or $_POST variables (sometimes a combination of the two) to build a message which will be sent to PHP's mail() function.

Unfortunately, many novice PHP programmers rely on the mail() function to power contact forms without understanding how the mail() function may be exploited. This lack of understanding has created a new outlet for spammers - exploiting poorly-secured PHP contact forms has become a common way to send out large volumes of spam.

A mail script which can be exploited is not serving its intended purpose - it can be said that the script is (or will likely become) a rogue mail script.

Why are mail scripts a cause for concern?

As a server administrator, it is your responsibility to ensure the security of your virtual private server at VPSLink. The Acceptable Use Policy governs acceptable uses for VPSLink accounts:

2.7 INSUFFICIENTLY-SECURE ADMINISTRATION / D. Operating an open mail relay

In addition to wasting bandwidth, contributing to other networks' spam filtering overhead, and annoying e-mail address holders everywhere, spam generated by rogue mailer scripts will increase the likelihood that your IP and domain will be blacklisted.

Once an IP or domain which has hosted rogue mailer scripts has been blacklisted, it is virtually impossible to ensure that e-mail which is legitimately sent from the IP or domain will be received by everyone whom it is sent to.

How can I find rogue mail scripts on my server?

The quickest way to find all the scripts which may be sending mail on your server is to ssh to your server console and run the following command as the root user:

find / -type f -name "*.php*" | xargs grep -l 'mail' | xargs grep -in 'mail' > ~/mail.scripts.log

This command will create a log file under your root user directory which contains the following items of information:

• The file name of the script which the term "mail" appeared within
• The line number on which the term "mail" appeared
• The full contents of the line

"mail" is a very common term, so you should scan through the file for lines which actually contain calls to PHP's mail() function. These lines may be similar to the examples below:

/path/to/file.php:43: mail ( $variable, $variable, $variable );
/path/to/file2.php:61: mail ( 'admin@example.com', $HTTP_POST_VARS['message_subject'], $HTTP_POST_VARS['message_body'] );
/path/to/file3.php:29: mail ( 'admin@example.com', $_POST['message_subject'], $_POST['message_body'] );

If you are not prepared to correct the vulnerability in mail scripts which you find, you should delete the scripts which contain calls to the mail() function to ensure the security of your system and compliance with the Acceptable Use Policy.

How can I secure my mail scripts?

Because spamming is a commercial endeavor, spammers are very motivated to find ways to exploit others' resources. Creating an absolutely secure mail script is fairly difficult, however, making it harder for spammers to exploit your scripts will generally be sufficient to discourage them from spamming others with your resources.

Implementing the following suggestions will greatly improve the security of your mail scripts:

1. Rename mail scripts - do not use common names like "contact.php", "email.php", or "feedback.php"
2. Remove all non-alphanumeric characters from mailing variables
3. Replace all line-breaks in mailing variables with space characters
4. Implement CAPTCHA with every mail form
5. Hard-code the "to" e-mail address and subject in every call to the mail() function - for example: mail ('your.address@your.domain.com', 'E-mail Subject', $message_body);