sara, ----- Original Message ----- From: "Sara Golemon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, June 01, 2004 1:06 PM Subject: Re: [PHP-DEV] [patch] abuse-proof zif_mail()
--- snip --- > The whole matter is moot because no matter how aggressively you block access > to mail(), sendmail, et. al. The user can still make socket calls directly > using SMTP commands. The protocol is not hard to understand and it's the > neerdowells that you're talking about stopping not the innocent accidentals. i disagree. first off, at least on our setup, users can *try* to make socket calls directly but it won't get them too far - we have iptables ACLs preventing that. second off, the direct socket connections take more time than calling sendmail and dumping it all in our spool and the abuser would have to keep reloading the page (i know this can be automated) because of the 30 second exec time limit. additionally, you could say that i care less about them spewing directly than i care about them dumping twenty thousand messages into our spool, when the relative effects on other clients' service are considered. third off, this patch does not *stop* them per se, it just helps us identify who is responsible so we can act on the abuse reports fast enough not to get baclklisted by some maniac. i am not arguing for making this the default, but quite honestly i do not see a substantive reason not to make this a compile-time or a run-time option. if there is a problem with the *how* of it, i will be glad to correct the patch. i am also willing to produce a patch that will make it an option, whether a compile or a run time one, if people tell me it is going to be included. since we will always want this turned on, there is no point in me mucking about with that if the patch is not going to be accepted. cheers, paul -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
