Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26943
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: unknown (pb1.pair.com: domain gmail.com does not designate 87.117.193.62 as permitted sender)
Message-ID: <45808461.9070505@gmail.com>
Date: Wed, 13 Dec 2006 22:53:21 +0000
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To: Ilia Alshanetsky <ilia@prohost.org>
CC: PHP internals <internals@lists.php.net>
References: <10536315-883E-4C1A-AF35-386DF4D73F84@prohost.org> <45807AC8.8020907@gmail.com> <515375DA-C752-4F5D-A244-3394C56846DA@prohost.org>
In-Reply-To: <515375DA-C752-4F5D-A244-3394C56846DA@prohost.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] mail() logging for PHP
From: stuttle@gmail.com (Stut)

Ilia Alshanetsky wrote:
> 
> On 13-Dec-06, at 5:12 PM, Stut wrote:
> 
>> Ilia Alshanetsky wrote:
>>> Is there any interest in adding support for logging of mail() calls 
>>> and/or adding options that allow identification of who sent the e-mail.
>>> I've wrote a quick patch that enables this functionality via two ini 
>>> settings controllable via php.ini or per-virtual host.
>>> The first option, mail.add_x_header (boolean) allows you to enable 
>>> the addition of the X-PHP-Originating-Script header to each mail sent 
>>> by mail(), which will include the uid of the script and its name. The 
>>> combination of the two should be sufficient to identify the user to 
>>> whom the script belongs and via a simple find command locate the 
>>> actual script. This option is intended primarily for instances where 
>>> you have a bounced e-mail or a forwarded mail with a spam complaint, 
>>> allowing you to quickly identify the offender.
>>> The second option, mail.log (takes a filename) allows you to enable 
>>> logging of every single mail() call, each log line will include the 
>>> fullpath of the file and the line where the mail() was called from in 
>>> addition to the "To" address and any headers (to keep track of CC, 
>>> BCC) that were part of the function call. To ensure that each log 
>>> line is 1 line long, \r and \n are replaced with spaces.
>>> The patch that makes this possible can be found here:
>>> http://ilia.ws/uploads/patches/mail_log.txt.gz
>>
>> Yes, yes, yes, a thousand times yes. I'm assuming the filename is the 
>> full path and filename? Couldn't that be considered a security risk?
> 
> Only in the log file, for the header only the filename is included, so 
> there is no security risk here.
> 
>> IMHO it would be better to have an option that would provide the 
>> domain name and the filename relative to the site root (if available).
>>
>> Also, I'm assuming this is configurable via php_flag in an Apache 
>> configuration file?
> 
> It can be controlled via httpd.conf but not via .htaccess.

Excellent.

I'm thinking about this from an ISP point of view... we get a lot of 
abuse reports because people have poorly written form handlers. It would 
be great if we could have PHP insert the full URL, domain name included, 
in the mail headers for anything it sends. Would that be possible?

I know that would only affect emails sent using the mail function, but 
it would be a massive improvement from where we are today.

-Stut