HEAD eFa-learn.php

[forhire]

I've noticed that some mail clients are querying /mailscanner/eFa-learn.php as HEAD. In reviewing the learned emails it would appear some mail clients are checking every URL in the email using HEAD. This is generating a lot of false sa-learn submissions.

sudo grep eFa-learn /var/log/httpd/ssl_access_log | grep HEAD
192.168.0.254 - - [04/May/2022:14:43:31 -0700] "HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 200 -

As a stop gap measure I added the following to my .htaccess
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|DELETE)
RewriteRule .* - [F]

"HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 403 -

Due to the wide distribution of my email users I had to turn off trusted networks to allow easier spam submissions.

I'm wondering if eFa-learn.php should be modified to offer up a confirmation button. Because the sa-learn is performed before the page returns anything the delay can be unnerving for some users. Would it be better to quickly return a page with a submission button and then sa-learn following the button click?

[forhire]

I've disabled the .htaccess HEAD filter as I've completed adding a submit button to the submission page. So far this is working. It loads quick and only is delayed once submitted. Sa-learn can be slow sometimes.

Basically I added an html form along with flag called $subm. If true then it passes $mid and the $token for sa-learn.

Code: Select all

     34     if (isset($_GET['mid']) && isset($_GET['subm']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
     35         dbconn();
     36         $mid = deepSanitizeInput($_GET['mid'], 'url');
     37         if ($mid === false || !validateInput($mid, 'msgid')) {
     38             die();
     39         }
     40         $subm = deepSanitizeInput($_GET['subm'], 'url');
     41         if ($subm === false) {
     42             die();
     43         }

I inserted the html form below the first if statement

Code: Select all

    117     } elseif (isset($_GET['mid']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
    118         $mid = deepSanitizeInput($_GET['mid'], 'url');
    119         if ($mid === false || !validateInput($mid, 'msgid')) {
    120             die();
    121         }
    122         if (isset($_GET['amp;r'])) {
    123             $token = deepSanitizeInput($_GET['amp;r'], 'url');
    124         } else {
    125             $token = deepSanitizeInput($_GET['r'], 'url');
    126         }
    127         if (!validateInput($token, 'releasetoken')) {
    128             header('Location: login.php?error=pagetimeout');
    129             die();
    130         }
    131         $subm = true;
    132         $url = parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
    133         $output[] = 'Submit Message: ' . $mid . '.';
    134         $output[] = '<form method="get" action="' . $url . '">';
    135         $output[] = '<input type="hidden" name="mid" value="' . $mid . '" />';
    136         $output[] = '<input type="hidden" name="r" value="' . $token . '" />';
    137         $output[] = '<input type="hidden" name="subm" value="' . $subm . '" />';
    138         $output[] = '<p><input type="submit" value="Submit"></p>';
    139         $output[] = '</form>';

I also changed the page title. No functional need.

Code: Select all

159         <h1>' . __('spam103') . " " .  __('learn03') . '</h1>' . "\n";

[freyuh]

Thanks for the good idea and the code.
I will test it in my installations the next days.

[forhire]

Thanks for the good idea and the code.
I will test it in my installations the next days.

Did you ever get a chance to play with this? A quick look at my logs suggests it's working well for my users.

[freyuh]

Oh shit. I forgot it completely
Will configure it right now ...

[freyuh]

It seems to be working ...