3 Ways of blocking sendmail.php on IIS webserver

Photo of author
Written By Jan Reilink

Windows Server system administrator & enthusiast.

Here are 3 ways of blocking access to a PHP sendmail.php script on your Windows Server IIS webserver. This comes in handy if a websites on your webserver sends out spam and you need to block access to a script on a specific website or globally in IIS. You can use a web.config file for this purpose, and here is how.

Suppose one of the websites you host on your Windows Server IIS webserver sends out spam, and you notice a X-PHP-Originating-Script header having sendmail.php in it as the responsible script. Here are three ways you can block access to that particular script.

Method 1: Block POST requests using a URL Rewrite rule

A quick way to stop the spam sending abuse is by blocking POST requests on a mail script or URL

<rule name="Block contact form spam" stopProcessing="true"> <match url="(.*)" ignoreCase="true" /> <conditions logicalGrouping="MatchAll"> <add input="{URL}" pattern="/sendmail.php" ignoreCase="true" negate="false" /> <add input="{REQUEST_METHOD}" pattern="POST" ignoreCase="true" negate="false" /> </conditions> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule>
Code language: HTML, XML (xml)

This IIS URL Rewrite rule is validated for every request, and when the condition matches TRUE, the request is blocked and a 403 Forbidden status code is send. Because the condition uses a MatchAll logicalGrouping, both input values ({URL} and {REQUEST_METHOD}) need to match, otherwise the rule is not evaluated as true.

Method 2: Block access to the file completely using a URL Rewrite rule

Another method is to completely block access to the file. In this scenario, the requested URL is evaluated, and if it matches sendmail.php, the request is blocked. Again, a custom 403 statuscode is send to the browser.

<rule name="Block sendmail.php" stopProcessing="true"> <match url="^sendmail\.php$" ignoreCase="false" /> <action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" /> </rule>
Code language: HTML, XML (xml)

Method 3: IIS Request Filtering URL Deny Sequence

Use IIS Request Filtering feature to configure filtering rules. The IIS module RequestFilteringModule is loaded and executed prior to URL Rewrite module. Using this module blocks access to the sendmail.php at an earlier stage and thus faster than using a URL Rewrite rule.

<security> <requestFiltering> <denyUrlSequences> <add sequence="sendmail.php" /> </denyUrlSequences> </requestFiltering> </security>
Code language: HTML, XML (xml)
Request Filtering URL Deny Sequence bock sendmail.php
Request Filtering URL Deny Sequence: bock sendmail.php

Please note that a Request Filtering rule sends out the following to the browser:

HTTP Error 404.5 – Not Found
The request filtering module is configured to deny the URL sequence.

This might give an attacker a clue he’s blocked.

Conclusion blocking abused files like sendmail.php in IIS

As you can see, it’s fairly easy and straightforward to block access to a particular PHP script on your Windows Server IIS webserver. Substitute “sendmail.php” with the script name in your scenario, and put the web.config file in the website physical path directory.


Did you like: 3 Ways of blocking sendmail.php on IIS webserver

Then please, take a second to support Sysadmins of the North and donate!

Your generosity helps pay for the ongoing costs associated with running this website like coffee, hosting services, library mirrors, domain renewals, time for article research, and coffee, just to name a few.



Hi! Join the discussion, leave a reply!