Page 1 of 1

HEAD eFa-learn.php

Posted: 05 May 2022 17:14
by forhire
I've noticed that some mail clients are querying /mailscanner/eFa-learn.php as HEAD. In reviewing the learned emails it would appear some mail clients are checking every URL in the email using HEAD. This is generating a lot of false sa-learn submissions.

sudo grep eFa-learn /var/log/httpd/ssl_access_log | grep HEAD
192.168.0.254 - - [04/May/2022:14:43:31 -0700] "HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 200 -

As a stop gap measure I added the following to my .htaccess
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^(HEAD|DELETE)
RewriteRule .* - [F]

"HEAD /mailscanner/eFa-learn.php?mid=4KtmFT0mK7zB48FF&r=3cc89d8dfbf0db2cf8a5 HTTP/1.1" 403 -

Due to the wide distribution of my email users I had to turn off trusted networks to allow easier spam submissions.

I'm wondering if eFa-learn.php should be modified to offer up a confirmation button. Because the sa-learn is performed before the page returns anything the delay can be unnerving for some users. Would it be better to quickly return a page with a submission button and then sa-learn following the button click?

Re: HEAD eFa-learn.php

Posted: 07 May 2022 02:32
by forhire
I've disabled the .htaccess HEAD filter as I've completed adding a submit button to the submission page. So far this is working. It loads quick and only is delayed once submitted. Sa-learn can be slow sometimes.

Basically I added an html form along with flag called $subm. If true then it passes $mid and the $token for sa-learn.

Code: Select all

     34     if (isset($_GET['mid']) && isset($_GET['subm']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
     35         dbconn();
     36         $mid = deepSanitizeInput($_GET['mid'], 'url');
     37         if ($mid === false || !validateInput($mid, 'msgid')) {
     38             die();
     39         }
     40         $subm = deepSanitizeInput($_GET['subm'], 'url');
     41         if ($subm === false) {
     42             die();
     43         }
I inserted the html form below the first if statement

Code: Select all

    117     } elseif (isset($_GET['mid']) && (isset($_GET['r']) || isset($_GET['amp;r']))) {
    118         $mid = deepSanitizeInput($_GET['mid'], 'url');
    119         if ($mid === false || !validateInput($mid, 'msgid')) {
    120             die();
    121         }
    122         if (isset($_GET['amp;r'])) {
    123             $token = deepSanitizeInput($_GET['amp;r'], 'url');
    124         } else {
    125             $token = deepSanitizeInput($_GET['r'], 'url');
    126         }
    127         if (!validateInput($token, 'releasetoken')) {
    128             header('Location: login.php?error=pagetimeout');
    129             die();
    130         }
    131         $subm = true;
    132         $url = parse_url($_SERVER["REQUEST_URI"], PHP_URL_PATH);
    133         $output[] = 'Submit Message: ' . $mid . '.';
    134         $output[] = '<form method="get" action="' . $url . '">';
    135         $output[] = '<input type="hidden" name="mid" value="' . $mid . '" />';
    136         $output[] = '<input type="hidden" name="r" value="' . $token . '" />';
    137         $output[] = '<input type="hidden" name="subm" value="' . $subm . '" />';
    138         $output[] = '<p><input type="submit" value="Submit"></p>';
    139         $output[] = '</form>';
I also changed the page title. No functional need.

Code: Select all

159         <h1>' . __('spam103') . " " .  __('learn03') . '</h1>' . "\n";

Re: HEAD eFa-learn.php

Posted: 09 May 2022 17:08
by freyuh
Thanks for the good idea and the code.
I will test it in my installations the next days.

Re: HEAD eFa-learn.php

Posted: 02 Jun 2022 06:25
by forhire
freyuh wrote: 09 May 2022 17:08 Thanks for the good idea and the code.
I will test it in my installations the next days.
Did you ever get a chance to play with this? A quick look at my logs suggests it's working well for my users.

Re: HEAD eFa-learn.php

Posted: 17 Jun 2022 09:16
by freyuh
Oh shit. I forgot it completely :(
Will configure it right now ...

Re: HEAD eFa-learn.php

Posted: 22 Jun 2022 08:59
by freyuh
It seems to be working ...

Re: HEAD eFa-learn.php

Posted: 03 Jul 2022 18:25
by shawniverson

Re: HEAD eFa-learn.php

Posted: 06 Jul 2022 22:59
by forhire
Something changed in the Trusted Networks. Previously, if Trusted Networks was empty then all networks would be allowed. Now all are blocked (redirected to login). I added 0.0.0.0/1, 128.0.0.0/2, 192.0.0.0/3, 224.0.0.0/4 to open it up and make it work as previously. Obviously running classless isn't the best practice but it's been working.

Another issue. The numbering in Trusted Networks appears to be incorrect.

Below is the list of current trusted networks:

1) 0.0.0.0/1
1) 128.0.0.0/2
2) 192.0.0.0/3
2) 224.0.0.0/4

Re: HEAD eFa-learn.php

Posted: 06 Jul 2022 23:21
by shawniverson
I'll tackle these two issues.

Re: HEAD eFa-learn.php

Posted: 10 Jul 2022 16:43
by shawniverson