14 Feb
2013
14 Feb
'13
5:52 a.m.
Good morning,
I'm a Roundcube newbie who is currently working on some minor plugins to adapt Roundcube to our needs.
One of our requirements is the ability to disable outgoing mail on accounts compromised by spammers after someone falls for a phishing spam.
The attached plugin is close to what I need, other than the fact that the user doesn't get any feedback to indicate that email has been disabled. Should I be using something other than rcmail::raise_error() to stop Roundcube in its tracks and generate an error page?
Thanks,
--
David Carter Email: David.Carter@ucs.cam.ac.uk
University Computing Service, Phone: (01223) 334502
New Museums Site, Pembroke Street, Fax: (01223) 334679
Cambridge UK. CB2 3QH.
/* ================================================================== */
class hermes_ratelimit extends rcube_plugin
{
public $task = 'mail';
private $max_recipients = 1000;
public function init()
{
$this->add_hook('message_before_send',
array($this, 'message_before_send'));
}
public function message_before_send($p) {
$username = $_SESSION['username'];
# XXX Should check if $username compromised in previous login session here.
$mailto = $p['mailto'];
$recips = explode(",", $mailto);
$count = count($recips);
if (isset($_SESSION['recip_count'])) {
$_SESSION['recip_count'] = $_SESSION['recip_count'] + $count;
} else {
$_SESSION['recip_count'] = $count;
}
if ($_SESSION['recip_count'] >= $this->max_recipients) {
error_log("hermes_ratelimit: " . $username .
" reached limit of " . $this->max_recipients);
# XXX Should add $username to database blacklist here
rcmail::raise_error
(array('code' => 800, 'type' => 'smtp', 'message' =>
"Compromised account? Outgoing email disabled!"
), true, true);
}
}
}