Find Your Compromised Email Scripts: Wrapper to Execute sendmail (or qmail-inject) for Web Apps

This is yet another sendmail wrapper to help detect webmail scripts that might be spamming. It's designed for the qmail with the QMAILQUEUE path, and the qmail-qfilter filter framework. You need to write a filter that will scan the mail going out, or use Spamassassin if you want general spam filtering.

What you do is, change the sendmail program setting in php.ini to run this program, which I call metasendmail.

metasendmail sets the QMAILQUEUE environment variable, then executes sendmail, and qmail-inject will pass the email through the script, which runs the qmail-qfilter program, which then runs qmail-queue.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main( int argc, char *argv[] )
        FILE *fh;
        fh = fopen("/usr/local/spam-logs/log","a+");
        argv[0] = "/var/qmail/bin/sendmail";

This program was necessary because I was unable to set the QMAILQUEUE environment variable and have it passed to sendmail (and thus to qmail-inject). I'm not sure what's happening, but I set the variable in the Apache config with the SetEnv directive. A look at phpinfo() shows that the variable is visible to PHP. It's also set for qmail-send, just in case. In any event, when sendmail is run, the environment variable is not passed to it. The environment PHP gets seems to be the environment of the user who ran the startup script. (Maybe PHP is scrubbing the environment. Maybe I misconfigured PHP.)

A quicker fix would be to add the variable to the startup script, and export it. However, to discover that, I had to create this script to get a quick dump of the environment, to see what was in it. So I'm keeping it for now; it's just a little creeping featurism.

My original intent was to try and log the script that's sending the mail. It turns out that's not possible, but there is a feature in PHP that will dump that information to a mail log. The php.ini variable is mail.log.