Uwe Dippel wrote:

quoted text
> I'm sorry, but I lack the experience to understand what you mean. I have
> 200+ users, several of them having set up (sorry, yes, written!),
> who can install any CMS of their liking, using ftp; or any other script
> that
> sends mail. Some of them are official websites, so I can not shut down the
> whole mini_sendmail business in the chrooted Apache. I also cannot read,
> study,
> hundreds of thousands of lines of code to find out how and where a
> web-page hosted by me allows an attacker to inject a message of her own,
> to a recipient of her own choice.

Then you have grown your userbase too fast with a terrible setup, and now
you're caught in the middle of fixing the problem or avoiding downtime.

quoted text
> Since mini_sendmail receives it through php from Apache, I wonder how I
> could log e.g. the website from which it was sent, or at least easily
> limit the number of calls of mini_sendmail.

Sure, if you go through and find every line of code where mail() is called,
you can add logging at that point.  But so far you've refused to make any
changes to the applications.

quoted text
> Again, your idea being fine for an application developer, which I am not.

His idea is the right one.  Most PHP applications I've dealt with support, at
least through plugins or extensions, SMTP + AUTH for sending mail instead of
PHP's mail().

quoted text
> The only two places where I, IMHO, can see a chance would be with an
> extended
> log or check of Apache or php; whenever a mail-call is logged, from
> which directory, e.g.

I don't think PHP ever changes the working directly except explicitly;
probably every call to mail() (which leads to mini_sendmail) occurs in the
chroot /.

quoted text
> Yes. But that's a complete coder's work, isn't it? I wonder if there is no
> other solution, as mentioned above.

There are, but they require you to set the parameters of how web apps can work
in your environment so as to enforce a minimum of auditability.  You have
already said that you can't enforce that minimum, and it turns out that you're
left with nothing to audit.

 sendmail_path = "/bin/mini_sendmail
quoted text
> -t -i"
> is what I have in php.ini. I wonder, if there are no logging features for
> mini_sendmail or so. I read the man-page online, but didn't see any.

Well, mini_sendmail is an external package... talk to the authors about that,
but I think they'll tell you they can't really track what you need tracked.
-- 
 Matthew Weigel
 hacker
 unique & idempot . ent