Prevent origin and user IP in sent email

Need some custom code changes to the phpBB core simple enough that you feel doesn't require an extension? Then post your request here so that community members can provide some assistance.

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Forum rules
READ: phpBB.com Board-Wide Rules and Regulations

NOTE: NO OFFICIAL SUPPORT IS PROVIDED IN THIS SUB-FORUM
Post Reply
User avatar
Alison V
Registered User
Posts: 24
Joined: Mon Sep 14, 2020 11:50 am

Prevent origin and user IP in sent email

Post by Alison V »

I just noticed in sent emails from the board that the email headers contain the origin server IP and sender's IP. This is not something you want to have when you sit behind something like CloudFlare or have your user's IP exposed. So I'm asking, what code do I need to strip out to prevent this?

Thanks.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Prevent origin and user IP in sent email

Post by thecoalman »

Moved this to General Discussion as it's not a phpBB issue.

Cloudflare does not proxy email. You need a valid IP with rDNS correctly configured for email, there is no way around that under any circumstances because email will get dropped into a blackhole. You can however use a different IP/service but options for that are limited. For example if you have VPS with WHM/Cpanel the domain and email can be on different IP's on same server. If they DDOS the exposed email IP you can null route incoming traffic temporarily until it subsides, the domain on a different IP is unaffected and you only lose incoming email service.

In a perfect world the email server is on different machine but that starts getting expensive....
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
warmweer
Jr. Extension Validator
Posts: 11234
Joined: Fri Jul 04, 2003 6:34 am
Location: Van Allen Bel ... gium
Contact:

Re: Prevent origin and user IP in sent email

Post by warmweer »

Alison V wrote: Tue Jun 22, 2021 12:12 pm I just noticed in sent emails from the board that the email headers contain the origin server IP and sender's IP. This is not something you want to have when you sit behind something like CloudFlare or have your user's IP exposed. So I'm asking, what code do I need to strip out to prevent this?

Thanks.
for the user_IP see functions messenger (there may be other files also)
$this->headers('X-AntiAbuse: User IP - ' . $user->ip);
You do realise that this is included specifically by phpBB (implying that you can change that) but you have no control over what the mailprovider includes in the headers

As to the server's IP, surely that shouldn't worry you.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Prevent origin and user IP in sent email

Post by thecoalman »

warmweer wrote: Tue Jun 22, 2021 4:40 pm for the user_IP see functions messenger (there may be other files also)
My mistake, I'll move this to custom coding.
As to the server's IP, surely that shouldn't worry you.
If you are trying to protect your site from DDOS attack it's a very big deal. Cloudflare only protects the domain, it cannot protect the origin IP. Anything that will expose that needs to be eliminated. There is lot of sources to identify it including outgoing email. Specifically in phpBB the upload avatar from URL and image dimension check for offsite images can expose it.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Alison V
Registered User
Posts: 24
Joined: Mon Sep 14, 2020 11:50 am

Re: Prevent origin and user IP in sent email

Post by Alison V »

Thanks for the input.

I ran a program called Fileseek against a download of phpBB and queried the search term, "X-AntiAbuse." I found that search term mentioned in the includes\functions_messenger.php, and \phpbb\message\message.php.

In functions_messenger.php I see the following:

Code: Select all

* Adds X-AntiAbuse headers
	*
	* @param \phpbb\config\config	$config		Config object
	* @param \phpbb\user			$user		User object
	* @return void
	*/
	function anti_abuse_headers($config, $user)
	{
		$this->headers('X-AntiAbuse: Board servername - ' . mail_encode($config['server_name']));
		$this->headers('X-AntiAbuse: User_id - ' . $user->data['user_id']);
		$this->headers('X-AntiAbuse: Username - ' . mail_encode($user->data['username']));
		$this->headers('X-AntiAbuse: User IP - ' . $user->ip);
	}

The User IP is self-explanatory. Is the Board servername the IP of the board? i.e, the origin IP of my board I'm trying to omit from sent emails?





In message.php is see the following:

Code: Select all

* Send the email
	*
	* @param \messenger $messenger
	* @param string $contact
	* @return null
	*/
	public function send(\messenger $messenger, $contact)
	{
		if (!count($this->recipients))
		{
			return;
		}

		foreach ($this->recipients as $recipient)
		{
			$messenger->template($this->template, $recipient['lang']);
			$messenger->replyto($this->sender_address);
			$messenger->to($recipient['address'], $recipient['name']);
			$messenger->im($recipient['jabber'], $recipient['username']);

			$messenger->headers('X-AntiAbuse: Board servername - ' . $this->server_name);
			$messenger->headers('X-AntiAbuse: User IP - ' . $this->sender_ip);

			if ($this->sender_id)
			{
				$messenger->headers('X-AntiAbuse: User_id - ' . $this->sender_id);
			}
			if ($this->sender_username)
			{
				$messenger->headers('X-AntiAbuse: Username - ' . $this->sender_username);
			}

Again, there is mention of the User IP.

Can I simply delete the lines from functions_messenger.php, and message.php that say,

$this->headers('X-AntiAbuse: Board servername - ' . mail_encode($config['server_name'])); ,

$this->headers('X-AntiAbuse: User IP - ' . $user->ip); ,

and

$messenger->headers('X-AntiAbuse: User IP - ' . $this->sender_ip);

without ill recourse? Or do I have to put something in its place? It looks like the code just applies headers so I should be able to omit that code without issue I think.

thecoalman wrote:Specifically in phpBB the upload avatar from URL and image dimension check for offsite images can expose it.
Remote avatars and Gravatars have been disabled since I knew that would be a cause for concern. Remote images are something I have been wondering about. I think the server that hosts them will just show the CloudFlare IP address from my website. Can you explain the image dimension check functionality? I'm not sure what this entangles in an effort to keep an origin IP address hidden.

It's not so much the DDoS mitigation as it is the firewall (WAF) and what not that keeps the bad business at bay from hitting the website. So far I've done a pretty good job with that, but I'm now just seeing that email headers completely destroy my efforts. :?

Thanks again.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Prevent origin and user IP in sent email

Post by thecoalman »

The "server name" is the domain name under server settings. Anything variable like this $config['some_thing'] can be looked up in the config table in the database. To reiterate you will not be able to hide the IP other than using different IP to send/receive email. Even if that was the IP it would only be a concern if you have taken steps to send/receive email on different IP.
Alison V wrote: Sat Jul 03, 2021 7:21 am Can I simply delete the lines from functions_messenger.php, and message.php that say,
Don't delete, comment it out.

Code: Select all

		//My Mod - Removed for privacy
		//$this->headers('X-AntiAbuse: User IP - ' . $user->ip);

Can you explain the image dimension check functionality?
Under post setting there is an option to limit the size of images in posts, phpBB checks the size of the image by making a request for it. As long as you have it set to 0 it's not a problem.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Alison V
Registered User
Posts: 24
Joined: Mon Sep 14, 2020 11:50 am

Re: Prevent origin and user IP in sent email

Post by Alison V »

Okay, got it. And now I understand the image size check as it's a fetch.

Understand that code is for the domain name taken from the config table in the database. I'm still not understanding why I can't manipulate some code to omit the server IP from the email though. Isn't anything possible dealing with code? Is there something here I'm not aware of beyond the domain name lookup in the database?

I actually use Gmail for the board since it's a third-party email provider to mitigate origin IP exposure. But to my dismay, I see the IP from the board. Well, not the direct IP but an IP of my CIDR from my origin. Which means now someone can see I use X host and ascertain that probably my IP lies in this CIDR. From there you do some things I won't talk about and can easily obtain the origin IP. The other thing here is that I wonder if Gmail does things via their headers as well? But surely the source of the headers (my board) can be controlled since it's a function of SMTP.

I realize some people may be of the opinion that it may not be something to worry about. But when you go through so much effort trying to stay hidden behind a reverse proxy (CloudFlare in this case) and they are your WAF provider you pay for, you kinda wanna cover all bases and stay ahead of the possible hack potential. It could be as simple as not liking your content or retribution, etc.

I'll go ahead and comment that line out and run a test email and check the headers. Thanks.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Prevent origin and user IP in sent email

Post by thecoalman »

The IP is going to be added by the server software, how or if you can remove I don't know using Gmail.Presumably Gmail is going to add it no matter what. The problem with email is spam and since it can't be proxied you need valid information for the origin. Once again the orgin does not necessarily need to be same IP as the domain.
Alison V wrote: Sat Jul 10, 2021 8:00 pm From there you do some things I won't talk about and can easily obtain the origin IP.
If you have access to the firewall close all unnecessary ports for the origin IP and whitelist Cloudflare IP's for ports 80 and 443, drop all other traffic to them. That assumes every domain on that IP is proxied through CF. Presumably you are eluding to someone using custom DNS and running a bot across the hosts range. If they run a bot across the range they get "server not found" for all blocked ports.

Not only does this help prevent someone from finding the origin IP it can also help mitigate a DDOS attack if the IP is found. If you have direct access to the firewall and CSF you may want to explore CSF's configuration. There is profiles available specifically for times when your site is under attack to help mitigate them.
Alison V wrote: Sat Jul 10, 2021 8:00 pm I realize some people may be of the opinion that it may not be something to worry about. But when you go through so much effort trying to stay hidden behind a reverse proxy (CloudFlare in this case) and they are your WAF provider you pay for, you kinda wanna cover all bases and stay ahead of the possible hack potential. It could be as simple as not liking your content or retribution, etc
You are preaching to the choir as far as I go. It's been a few years but my site was hit twice. The first one was sustained for a week with requests coming in at two thousand per second. I was completely unprepared for that, the second one was about a week later when I was behind CF. Unfortunately I wasn't prepared enough as they did exactly what you eluded too above and identified the origin by scanning my hosts IP range.

I'm not giving away any secrets here, the people that are in control of the botnets are just hired guns. They know every trick in the book.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
User avatar
Alison V
Registered User
Posts: 24
Joined: Mon Sep 14, 2020 11:50 am

Re: Prevent origin and user IP in sent email

Post by Alison V »

Thanks for the response.

Is it possible to have an extension made to use a Sendgrid API I wonder? https://sendgrid.com/solutions/email-api/ I tried to create an account, but they wanted me to verify all kinds of things in order to prevent spam. I haven't looked into trying to satisfy what their customer support wanted right now. But if an extension is possible, works, and I'm verifiable with Sendgrid, maybe this would be the ticket to keeping the origin CIDR hidden as to help against an attack.

There's also Sparkpost.

https://www.sparkpost.com/docs/getting- ... om-address

https://www.sparkpost.com/docs/faq/diff ... d-premier/

The dedicated IP thing cost a lot. Unless you're a big time company it wouldn't be viable. Not sure if it would be a huge factor on mail integrity or not. I'm thinking if DKIM and DMARC are good that should help with the email reputation.
User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 5871
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Prevent origin and user IP in sent email

Post by thecoalman »

Alison V wrote: Tue Jul 27, 2021 12:01 pm The dedicated IP thing cost a lot. Unless you're a big time company it wouldn't be viable. Not sure if it would be a huge factor on mail integrity or not. I'm thinking if DKIM and DMARC are good that should help with the email reputation.
You usually get 2 dedicated IP's with a VPS, managed packages start around $40 per month. Additional IP's are a few bucks. A VPS gives you all the flexibility of a dedicated server with less resources. It can host as many domains as you want within the allotted resources. You can actually host other people if you wanted and they get their own control panel etc. There is other benefits like root access, install whatever you want, configure things how you want. :D

The downside is it's bit more work and there is a learning curve. If you are using WHM/Capnel it's pretty easy to deal with.
“Results! Why, man, I have gotten a lot of results! I have found several thousand things that won’t work.”

Attributed - Thomas Edison
Post Reply

Return to “phpBB Custom Coding”