HEAD eFa-learn.php

[forhire]

I've noticed that some mail clients are querying /mailscanner/eFa-learn.php as HEAD. In reviewing the learned emails it would appear some mail clients are checking every URL in the email using HEAD. This is generating a lot of false sa-learn submissions.

sudo grep eFa-learn /var/log/httpd/ssl_access_log | grep HEAD
192.168.0.254 - - [04/May/2022:14:43:31 -0700] "HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 200 -

As a stop gap measure I added the following to my .htaccess
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|DELETE)
RewriteRule .* - [F]

"HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 403 -

Due to the wide distribution of my email users I had to turn off trusted networks to allow easier spam submissions.

I'm wondering if eFa-learn.php should be modified to offer up a confirmation button. Because the sa-learn is performed before the page returns anything the delay can be unnerving for some users. Would it be better to quickly return a page with a submission button and then sa-learn following the button click?

[forhire]

I've disabled the .htaccess HEAD filter as I've completed adding a submit button to the submission page. So far this is working. It loads quick and only is delayed once submitted. Sa-learn can be slow sometimes.

Basically I added an html form along with flag called $subm. If true then it passes $mid and the $token for sa-learn.

Code: Select all

     34     if (isset($_GET['mid']) && isset($_GET['subm']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
     35         dbconn();
     36         $mid = deepSanitizeInput($_GET['mid'], 'url');
     37         if ($mid === false || !validateInput($mid, 'msgid')) {
     38             die();
     39         }
     40         $subm = deepSanitizeInput($_GET['subm'], 'url');
     41         if ($subm === false) {
     42             die();
     43         }

I inserted the html form below the first if statement

Code: Select all

    117     } elseif (isset($_GET['mid']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
    118         $mid = deepSanitizeInput($_GET['mid'], 'url');
    119         if ($mid === false || !validateInput($mid, 'msgid')) {
    120             die();
    121         }
    122         if (isset($_GET['amp;r'])) {
    123             $token = deepSanitizeInput($_GET['amp;r'], 'url');
    124         } else {
    125             $token = deepSanitizeInput($_GET['r'], 'url');
    126         }
    127         if (!validateInput($token, 'releasetoken')) {
    128             header('Location: login.php?error=pagetimeout');
    129             die();
    130         }
    131         $subm = true;
    132         $url = parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
    133         $output[] = 'Submit Message: ' . $mid . '.';
    134         $output[] = '<form method="get" action="' . $url . '">';
    135         $output[] = '<input type="hidden" name="mid" value="' . $mid . '" />';
    136         $output[] = '<input type="hidden" name="r" value="' . $token . '" />';
    137         $output[] = '<input type="hidden" name="subm" value="' . $subm . '" />';
    138         $output[] = '<p><input type="submit" value="Submit"></p>';
    139         $output[] = '</form>';

I also changed the page title. No functional need.

Code: Select all

159         <h1>' . __('spam103') . " " .  __('learn03') . '</h1>' . "\n";

[freyuh]

Thanks for the good idea and the code.
I will test it in my installations the next days.

[forhire]

Thanks for the good idea and the code.
I will test it in my installations the next days.

Did you ever get a chance to play with this? A quick look at my logs suggests it's working well for my users.

[freyuh]

Oh shit. I forgot it completely
Will configure it right now ...

[freyuh]

It seems to be working ...

[shawniverson]

Code added in commits https://github.com/E-F-A/v4/commit/642f ... 4c182341c9 and https://github.com/E-F-A/v4/commit/086e ... d874f27473

[forhire]

Something changed in the Trusted Networks. Previously, if Trusted Networks was empty then all networks would be allowed. Now all are blocked (redirected to login). I added 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/3, 224.0.0.0/4 to open it up and make it work as previously. Obviously running classless isn't the best practice but it's been working.

Another issue. The numbering in Trusted Networks appears to be incorrect.

Below is the list of current trusted networks:

1) 0.0.0.0/1
1) 128.0.0.0/2
2) 192.0.0.0/3
2) 224.0.0.0/4

[shawniverson]

I'll tackle these two issues.

[shawniverson]

Fixed in commits https://github.com/E-F-A/v4/commit/cb27 ... 5dc7fa0c8c https://github.com/E-F-A/v4/commit/07a8 ... 696a2d3a8e