Questions on how to further secure a mail script

jshl

For the record, I am a complete PHP newbie, save for trying to read and partially understand the PHP script in wordpress. I am however fairly ok with HTML and am now getting up to speed with CSS.

I recently read, made use of and modified the script tutorial found at http://www.phpbuilder.com/columns/ian_gilfillan20060412.php3 , to make an fairly seamless and automated way to receive certain form inofmation. The script is working great so far, and hopefully I didn't break it when attempting to customise it to my use. Many kudos to the writer! ^_

Now while the script is functioning well, and is doing its job, I'm still a little concerned about potential spammers using it without my knowledge and as I'm both fairly new to PHP and not the person controlling the server my site is hosted on, I have a few specific questions regarding some of the suggestions made at the end of that article I used.

How do I log attempts to use my script for malicious means and take action on it, or should I just contact my host and ask them to do that for me?
More importantly, what indicators can I use to detect when spamming is taking place? If I am aware of it, there are steps I could probably take, but not knowing if and when spamming occurs or even how to find out, is at the top of my list of concerns.
What's the best course of action to take? Even if I take the script down, that's merely a temporary solution and in this case, I'm not yet talking about legal action or something. What's a good course of action to take, aside from say, banning IP addresses or something?

jwagner

The article you mentioned lists some nice techniques to avoid spammers from using your mail script.

If you implement them all, and you still feel like adding more security, I think you can just try to make sure your script does not use the email or subject field that were provided from the form, but to hardcode them and only mention the email and subject in the body section of the message.

jshl

@: Sorry for the late reply.

Thanks for the suggestion. As I said, I'm fairly new at PHP, so I'm not certain if I fully understand what you mean though. Am I correct to say that you mean, I should not have a email field and subject field, but instead hardcode a fixed generic email and subject field?

That's probably not possible because the form will need to identify the origin of the message as well as a set of info that is unique to that specific message.

If you did mean something else, can I clarify what you meant?

Update since my very first post

The form has been working successfully since I posted it, but I received a worrying email that contained rubbish information - random characters were entered into all fields. In case there was an attached virus or something, I declined to open it and deleted it immediately.

The part that concerned me was this - the script I modified is supposed to verify that an email address is valid, according to my understanding of it. The email address in the email had a garbled userid, but I believe it was listed as a yahoo or hotmail account.

I would really appreciate if anyone could suggest a way to log attempts to use the script to some kind of text file.

Bjom

You could read through an existing well programmed (free) mailer and either learn from it to improve your own thing or even simply use it...

Here's one that a friend of mine uses all the time for actual live applications; It is well documented and pretty clean in its coding style afair:

tectite form mailer

Bjom