3 Ways of blocking sendmail.php on IIS webserver

Here are 3 ways of blocking access to a PHP sendmail.php script on your Windows Server IIS webserver. This comes in handy if a websites on your webserver sends out spam and you need to block access to a script on a specific website or globally in IIS. You can use a web.config file for this purpose, and here is how.

Suppose one of the websites you host on your Windows Server IIS webserver sends out spam, and you notice a X-PHP-Originating-Script header having sendmail.php in it as the responsible script. Here are three ways you can block access to that particular script.

Method 1: Block POST requests using a URL Rewrite rule

A quick way to stop the spam sending abuse is by blocking POST requests on a mail script or URL

<rule name="Block contact form spam" stopProcessing="true">
	<match url="(.*)" ignoreCase="true" />
	<conditions logicalGrouping="MatchAll">
		<add input="{URL}" pattern="/sendmail.php" ignoreCase="true" negate="false" />
		<add input="{REQUEST_METHOD}" pattern="POST" ignoreCase="true" negate="false" />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />

This IIS URL Rewrite rule is validated for every request, and when the condition matches TRUE, the request is blocked and a 403 Forbidden status code is send. Because the condition uses a MatchAll logicalGrouping, both input values ({URL} and {REQUEST_METHOD}) need to match, otherwise the rule is not evaluated as true.

Method 2: Block access to the file completely using a URL Rewrite rule

Another method is to completely block access to the file. In this scenario, the requested URL is evaluated, and if it matches sendmail.php, the request is blocked. Again, a custom 403 statuscode is send to the browser.

<rule name="Block sendmail.php" stopProcessing="true">
	<match url="^sendmail\.php$" ignoreCase="false" />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />

Method 3: IIS Request Filtering URL Deny Sequence

Use IIS Request Filtering feature to configure filtering rules. The IIS module RequestFilteringModule is loaded and executed prior to URL Rewrite module. Using this module blocks access to the sendmail.php at an earlier stage and thus faster than using a URL Rewrite rule.

			<add sequence="sendmail.php" />
Request Filtering URL Deny Sequence bock sendmail.php
Request Filtering URL Deny Sequence: bock sendmail.php

Please note that a Request Filtering rule sends out the following to the browser:

HTTP Error 404.5 – Not Found
The request filtering module is configured to deny the URL sequence.

This might give an attacker a clue he’s blocked.


As you can see, it’s fairly easy and straightforward to block access to a particular PHP script on your Windows Server IIS webserver. Substitute “sendmail.php” with the script name in your scenario, and put the web.config file in the website physical path directory.

1 thought on “3 Ways of blocking sendmail.php on IIS webserver”

Hi! Join the discussion, leave a reply!

Loading time: 114 queries, 0.334 seconds using 13656952 bytes memory. Peak memory usage: 13972552 bytes.