Include php script name is highest send count and ability to automatically chmod to 0 (TEMPLATES)

Version 1.46

Feature
Finished

On the "E-Mail Usage" page, a new field will be displayed in the first table, if enabled: Sending Script where the "Value" will be the path to the php script that has sent the most number of emails. It will also include the line number of that script which called mail(). This is useful to more quickly track down a compromised account, to figure out which script is sending spam, or too much email. =================== The internal default for this feature is: parse_php_mail_log_at_limit=1 If you set this option to: parse_php_mail_log_at_limit=2 then the script will be chmod to 0. Option 2 may be changed in the future to work with BlockCracking, for fewer false positives. However, as this type of action shouldn't be taken lightly, there are 2 other checks, set by default to: disable_php_script_at_limit_threshold=80 disable_php_script_at_limit_minimum=100 where disable_php_script_at_limit_threshold is the percentage of total emails sent, of the hit limit, which must be exceeded by that script, in order to be chmod to 0. As well, the option disable_php_script_at_limit_minimum is the minimum number of emails that script must send to be chmod to 0. The minimum number is useful in the case where an account might have a limit of 1.. obviously, this wouldn't warrant the disabling of the script for sending 1 email. So, for example script.php sends 900 emails, and the limit is 1000. The total number of emails leaving the account would have been 1000 (since the limit was triggered) but 900... aka 90% of the emails sent, were from the script. 1) This passes the threshold of 80%. 2) Also, 900 emails are more than 100 email, so it will also pass. 3) For this scenario, if: parse_php_mail_log_at_limit=2 is set, then because 1, 2 and 3 all are true, script.php will be chmod to 0, and everyone notified. If any one is not true, the script will not be chmod to 0. =================== TEMPLATES data/templates/email_limit_message.txt added extra text for the script case, eg: |*if TOP_PHP_SCRIPT_PERCENT>"20"| The top sending script was |TOP_PHP_SCRIPT|, at |TOP_PHP_SCRIPT_COUNT| emails, (|TOP_PHP_SCRIPT_PERCENT|%).|*endif| |*if TOP_PHP_SCRIPT_PERCENT>DISABLE_PHP_SCRIPT_AT_LIMIT_THRESHOLD|Because the bulk of the emails have been sent by the script, please check it to confirm it has not been compromised.|*endif| |*if SCRIPT_CHMOD_RESULT!=""||SCRIPT_CHMOD_RESULT||*endif| New available tokens are: TOP_PHP_SCRIPT: name of the offending script, and line number of mail(), eg: /home/user/domains/domain.com/public_html/mail.php:25 TOP_PHP_SCRIPT_COUNT: how many sends the script made TOP_PHP_SCRIPT_PERCENT: percentage of all sends the script made DISABLE_PHP_SCRIPT_AT_LIMIT_THRESHOLD: the directadmin.conf variable, see above. DISABLE_PHP_SCRIPT_AT_LIMIT_MINIMUM: the directadmin.conf variable, see above. SCRIPT_CHMOD_RESULT: text to let you know if the chmod was triggered, or attempted to be triggered. If it's an empty string, "" then the criteria were not met. However if it's a string, the criteria were met.. and would either include the result/success, or an error as to why it didn't work (eg: link, ownership, doesn't exist, chmod error)

Interested to try DirectAdmin? Get a 30-day Free Trial!