OT: "X-PHP-Script" header

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: "X-PHP-Script" header

allenc

Over the weekend I had three spam messages get through to my in-box. Two
contained an "X-PHP-Script" header

one was
X-PHP-Script:
folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
for 110.83.63.152

and the other
X-PHP-Script:
118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
for 110.83.62.203

I suppose I could block them using  header_checks, but first, does
anybody know what they (are supposed to) do?   I have not encountered
them before.

Allen C
Reply | Threaded
Open this post in threaded view
|

Re: OT: "X-PHP-Script" header

Jan Ceuleers
On 24/10/16 18:29, Allen Coates wrote:

>
> Over the weekend I had three spam messages get through to my in-box. Two
> contained an "X-PHP-Script" header
>
> one was
> X-PHP-Script:
> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
> for 110.83.63.152
>
> and the other
> X-PHP-Script:
> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
> for 110.83.62.203
>
> I suppose I could block them using  header_checks, but first, does
> anybody know what they (are supposed to) do?   I have not encountered
> them before.

First Google hit?
Reply | Threaded
Open this post in threaded view
|

Re: OT: "X-PHP-Script" header

allenc


On 24/10/16 17:37, Jan Ceuleers wrote:

> On 24/10/16 18:29, Allen Coates wrote:
>> Over the weekend I had three spam messages get through to my in-box. Two
>> contained an "X-PHP-Script" header
>>
>> one was
>> X-PHP-Script:
>> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
>> for 110.83.63.152
>>
>> and the other
>> X-PHP-Script:
>> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
>> for 110.83.62.203
>>
>> I suppose I could block them using  header_checks, but first, does
>> anybody know what they (are supposed to) do?   I have not encountered
>> them before.
> First Google hit?

How to insert / remove / munge them, but not what they do.

Or their value as a spam indicator.


>

Reply | Threaded
Open this post in threaded view
|

Re: OT: "X-PHP-Script" header

Bill Cole-3
In reply to this post by allenc
On 24 Oct 2016, at 12:29, Allen Coates wrote:

>
> Over the weekend I had three spam messages get through to my in-box.
> Two
> contained an "X-PHP-Script" header
>
> one was
> X-PHP-Script:
> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
> for 110.83.63.152
>
> and the other
> X-PHP-Script:
> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
> for 110.83.62.203
>
> I suppose I could block them using  header_checks, but first, does
> anybody know what they (are supposed to) do?   I have not encountered
> them before.

They are added by the PHP mail() function (if the active PHP config has
them turned on) as a weak but surprisingly useful way for web server
admins to identify exactly where some spam-sending malware has been
deployed. This is a weak tool in theory because a script can effectively
clobber the pathname component, but apparently the folks writing that
class of malware include examples of "any moron can write working PHP"
because I still see these with apparently real values (as above) in spam
at a substantial rate despite this feature existing for over a decade.

I wouldn't advise using the existence of a X-PHP-Script header as an
absolute reason to block mail. In my personal archives I have 30
entirely legitimate, desired messages with that header and 173 spam. In
a workplace account which gets essentially no spam I have no spam with
it in the past 8 years, during which I've received dozens (maybe
hundreds) of absolutely non-spam messages with X-PHP-Script headers
generated by various tools that use PHP (e.g. MediaWiki page change
notices) and from external sources. The content of a X-PHP-Script header
can be useful in more complex filtering systems (e.g. SpamAssassin)
because the spamware scripts often hide themselves in odd directories
like /tmp, /images, and frequently claim to be triggered from IPs that
bear no relationship to the source host (like the above: consumer
broadband IPs in Fuqing, Fujian, China.) You can't do that sort of
analysis in Postfix itself.

Reply | Threaded
Open this post in threaded view
|

Re: OT: "X-PHP-Script" header

allenc
Many thanks for your explanation.

And here was I, thinking I had found a new spam-killer.   :-(

Allen C


On 25/10/16 00:35, Bill Cole wrote:

> On 24 Oct 2016, at 12:29, Allen Coates wrote:
>
>>
>> Over the weekend I had three spam messages get through to my in-box. Two
>> contained an "X-PHP-Script" header
>>
>> one was
>> X-PHP-Script:
>> folar.org/wp-content/plugins/the-events-calendar/src/Tribe/Aggregator/uploader.php
>>
>> for 110.83.63.152
>>
>> and the other
>> X-PHP-Script:
>> 118k.org/wp-content/plugins/formidable/classes/views/frm-entries/stats.php
>>
>> for 110.83.62.203
>>
>> I suppose I could block them using  header_checks, but first, does
>> anybody know what they (are supposed to) do?   I have not encountered
>> them before.
>
> They are added by the PHP mail() function (if the active PHP config
> has them turned on) as a weak but surprisingly useful way for web
> server admins to identify exactly where some spam-sending malware has
> been deployed. This is a weak tool in theory because a script can
> effectively clobber the pathname component, but apparently the folks
> writing that class of malware include examples of "any moron can write
> working PHP" because I still see these with apparently real values (as
> above) in spam at a substantial rate despite this feature existing for
> over a decade.
>
> I wouldn't advise using the existence of a X-PHP-Script header as an
> absolute reason to block mail. In my personal archives I have 30
> entirely legitimate, desired messages with that header and 173 spam.
> In a workplace account which gets essentially no spam I have no spam
> with it in the past 8 years, during which I've received dozens (maybe
> hundreds) of absolutely non-spam messages with X-PHP-Script headers
> generated by various tools that use PHP (e.g. MediaWiki page change
> notices) and from external sources. The content of a X-PHP-Script
> header can be useful in more complex filtering systems (e.g.
> SpamAssassin) because the spamware scripts often hide themselves in
> odd directories like /tmp, /images, and frequently claim to be
> triggered from IPs that bear no relationship to the source host (like
> the above: consumer broadband IPs in Fuqing, Fujian, China.) You can't
> do that sort of analysis in Postfix itself.
>
>