How to Disable PHP mail() Per-Domain/Vhost without Suhosin or FPM/suEXEC

So I'm tired of my goddamned WordPress blog (yep, this one) getting compromised and being used as a platform for spammers or phishers and so on.

Getting pwn't every so often is pretty much just a fact of using popular shrinkwrapware and being a lazy updater. But that's no reason to change our ways when we can just mitigate the damage - namely getting your web server's IP on to all those friendly RBLs and interrupting legit e-mail notification delivery.

The good news is you can use disable_functions in your php.ini to disable functions globally.

The bad news is you can't set disable_functions on a per-domain or vhost basis unless you're using FPM/suEXEC or the like.

The worse news is suhosin, a really sweet PHP security patch that I've written about before and which would give us the ability to do this has been abandoned for about two years now and there is no official support for php 5.4 and later.

So I'd like to give Dave Lachapelle a big round of applause for pointing out that even if you can't kill mail() you can at least cripple it. From http://www.davelachapelle.ca/2009/08/05/php-mail-abuse/:

...PHP doesnÂ’t support setting disable_functions in the php_admin_value flag.

So, after a bit of searching, I decided to just add the following to each siteÂ’s .htaccess files:

php_admin_value sendmail_path "/dev/null"

Essentially sending all e-mail to /dev/null for that particular site. Perhaps not the most elegant solution, but it was effective...

Maybe not elegant, but surely classy.

Stay classy, Dave.


There are no comments for this item.