-2

If you don't have access to the server logs, what is a reliable way of checking to see if your php form is being used to send spam?

I know if the form is being used to send spam to me, but I want to make sure it is not being manipulated in some way to send spam to others.

user3216933
  • 275
  • 1
  • 3
  • 12
  • 1
    How about coding your form in a way it can't be used to send spam? – Prix May 01 '14 at 16:26
  • 1
    Show us the code. I would change the code so it doesn't allow this, – Matt The Ninja May 01 '14 at 16:26
  • Maybe you can use a captcha? – Gwenc37 May 01 '14 at 16:27
  • Right now I just want to verify that it isn't sending spam, so i'm looking for tried and tested ways without getting overly complex. If it is, then the code will have to be modified... – user3216933 May 01 '14 at 16:29
  • Checking the user input to make sure the data is not being manipulated is the simplest way to avoid your domain from being blacklisted for spamming as well as avoiding yourself to have to check each email being sent. – Prix May 01 '14 at 16:30
  • @Prix — That is not "simple" at all. – Quentin May 01 '14 at 16:36

1 Answers1

5

Edit the script to have it log all the requests it processes in a separate database that you do have access to.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Can this be done to a text file? If so, can you point me to any tutorials? – user3216933 May 01 '14 at 16:27
  • @user3216933 instead of logging and watch people using it to spam why not rework it to prevent it so you don't have further headache with your domain name going to the blacklist? – Prix May 01 '14 at 16:29
  • @Prix because there might not be any issue at all.. – user3216933 May 01 '14 at 16:31
  • @user3216933 what you're saying just mean "hey I am using MySQL with no sanitized user input, I will just leave it at that." Then some one comes in and delete all your database, why? Because you did not sanitize your user input. That is just one example of things that can happen for not sanitizing user input and in your case your domain name and IP can get blacklist for good and its a pain to get it out of a blacklist. – Prix May 01 '14 at 16:32
  • @Prix I understand but in this case there is no database involved... just a php contact form – user3216933 May 01 '14 at 16:33
  • @user3216933 — I dislike using text files (due to file locking issues) but http://php.net/manual/en/function.fwrite.php – Quentin May 01 '14 at 16:34
  • @Prix — I would read the question as "I don't know if my script is secure so I would like to add monitoring to it so I can be alerted if there is a problem" and not as "I know my script is insecure and can't be bothered to fix it until I know there is a problem". – Quentin May 01 '14 at 16:35
  • @Quentin I read "because there might not be any issue at all" as "I know my script is insecure and can't be bothered to fix it until I know there is a problem" and the amount of time he will invest adding a log to its mailer would probably be the same amount he would waste verifying the user input and make sure it doesn't even happen. – Prix May 01 '14 at 16:36
  • 1
    Not to mention that by the time he check his logs to actually find out his mailer was used to do bad things such as pishing or spamming it will be already too late. – Prix May 01 '14 at 16:40
  • @Prix By that logic there's no point in keeping `btmp` or `secure` logs on *nix hosts either. – StvnW May 01 '14 at 17:01
  • 1
    Even if form input is sanitized or the form is made "secure", logging requests until you're confident it's not being abused is a refreshingly responsible approach. If only everyone were so good about testing their assumptions. – StvnW May 01 '14 at 17:06
  • 1
    @StvnW the thing is, if you don't sanitize the user input and you get hit and its a big hit no logs will save your domain or IP from being trashed. If it was me I would be saving both user activity as well as sanitizing any data that requires user input or that can be manipulated. However in this specific case only saving logs if the form is misused it may get you to a point where it would be easier to buy a new domain then clear your own. – Prix May 01 '14 at 17:21
  • 1
    @Prix We probably agree then. Logging is no substitute for sanitizing; sanitizing does not relieve the responsibility for monitoring. – StvnW May 01 '14 at 17:36
  • 1
    @StvnW from what you said you're excluding sanitizing and just monitoring while I am doing both but the OP is not. – Prix May 01 '14 at 17:49
  • @Prix I am advocating for both. – StvnW May 01 '14 at 18:02
  • @Quentin Writing to a text file presumably involves using 777 permissions. Isn't that dangerous in its own regard? – user3216933 May 02 '14 at 12:34
  • @user3216933 — It definitely doesn't need executable permissions, and it only needs to be writable by the user the PHP script runs at. – Quentin May 02 '14 at 12:35