Is outgoing mail filtered?

ldesign · **Is outgoing mail filtered? -** 12-14-2005, 02:16 AM

Without going into complete detail, let me ask .... is outgoing mail ever filtered or trapped (not sent)?

I have a mail list I wrote in Php that requires new subscribers to click on a link in a confirmation email that is automatically sent to the email address they have entered in the sign-up form. I send a Bcc of these to myself to monitor the list activity and verify my scripts are working (it is a very small list). For a year or so I received the Bcc's of the confirmation email sent to perspective subscribers. Then, about a month or three ago, they stopped. The confirmation mail is delivered to the prospective subscriber, but I do not get the Bcc (sent to my main email address at Comcast).

I have checked, and they do not get trapped in Comcast's filters (they are not in my screened mail folder).

There is a link the message body that ends with:
"confirm.php?email=somerealemailaddress."

I have run many test and if I remove the ? or the word confirm, the Bcc is delivered. If I leave it there, the Bcc is not delivered to me (and only the Bcc is not delivered).

It seems strange to even ask, but I have investigated other avenues and can find no reason for this to happen, so I am asking here if Page-Zone somehow withholds the Bcc with a link containing "confirm.php?email=" in the message body.

Chuck

Jim · 12-14-2005, 07:53 AM

Bcc (through mailer scripts, NOT smtp) was disabled using mod_security out of necessity last week because we were suddenly getting hammered with scripts on every server being exploited by spammers. There was a public announcement in the forum but it was removed after 24 hours. I can send anyone who asks a copy of the current set of mod security rules but cannot publish it publicly because it can be used by people to see what can be done as well as can't. I can also work with people on removing some rules, but not bcc. The error logs are still full of attempts to spam and bcc exploit attempts are probably 90% of what mod_security is preventing right now, followed by phpBB and other script vunerabilities. For example, I just pull up the error log on a server at random and five minutes ago a spammer at 61.83.77.198 was stopped.

cmyksteve · 12-14-2005, 12:13 PM

Jim,

I've become aware of a security/spam issue in a component used in current versions of Joomla/Mambo. You mentioned phpBB being high on the "target list". Is there a security issue with phpBB ver 2.0.18 or are you talking "in general terms" about older versions- that we should be updating?

Thanks,
Steve

ldesign · 12-14-2005, 04:22 PM

Quote:

Originally Posted by Jim

Bcc (through mailer scripts, NOT smtp) was disabled using mod_security out of necessity last week because we were suddenly getting hammered with scripts on every server being exploited by spammers.

Then I don't think this was part of my problem.
- I was using SMTP
- I did the testing about 3 weeks ago.
- If I changed "confirm.php?" to something else, the Bcc was sent.

Quote:

Originally Posted by Jim

I can send anyone who asks a copy of the current set of mod security rules but cannot publish it publicly because it can be used by people to see what can be done as well as can't. I can also work with people on removing some rules, but not bcc.

So I take to that if I continue to use SMTP I will still be able to send Bcc's? I depend on them to monitor usage of email scripts on some of my sites.

Quote:

Originally Posted by Jim

The error logs are still full of attempts to spam and bcc exploit attempts are probably 90% of what mod_security is preventing right now, followed by phpBB and other script vulnerabilities.

If using PhpBB what should we do? Stay upgraded to the latest, apply a mod to prevent spammers abusing it, or switch to something else?

As to my initial question, I'll rephrase a little. Would Page-zone filter outgoing mail sent via SMTP and not allow the message to be sent to a Bcc recipient if the body contained the string "confirm.php?email="?

Chuck

Jim · 12-14-2005, 04:39 PM

Quote:

Originally Posted by cmyksteve

Jim,

I've become aware of a security/spam issue in a component used in current versions of Joomla/Mambo. You mentioned phpBB being high on the "target list". Is there a security issue with phpBB ver 2.0.18 or are you talking "in general terms" about older versions- that we should be updating?

Thanks,
Steve

Steve,
All of the phpbb rules are for known exploits in older versions. Such as highlighting code execution attempts, highlight sql injection, Santy.A Worm injection etc...

If the latest version is installed there should not be a problem. At least until it gets cracked, which in the case of phpbb will be about a week after it is released :-)

Jim · 12-14-2005, 07:39 PM

Quote:

Originally Posted by ldesign

As to my initial question, I'll rephrase a little. Would Page-zone filter outgoing mail sent via SMTP and not allow the message to be sent to a Bcc recipient if the body contained the string "confirm.php?email="?

Chuck

If it is a webmail form using Apache and it is using "bcc" or any capitalization order of bcc (e.g. Bcc bCc etc.) in the POST string it will throw a 403 error. When I said SMTP I should have made clear that I meant SMTP which isn't being processed through the Apache web server. There is no bcc filtering going on if connecting to the mail server directly from your computer. And also confirm.php? isn't anywhere in the current SecFilter ruleset.