The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

see which php scripts are sending mail?

Discussion in 'Security' started by alexmack, Aug 24, 2010.

  1. alexmack

    alexmack Member

    Joined:
    Jul 23, 2010
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    is there any way to do this?

    also, is there an easy way to get a summary of most recent exim messages sent including the subject?
     
  2. kuldeep_

    kuldeep_ Well-Known Member

    Joined:
    Apr 24, 2010
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    To trace php script sending email, first you will need root SSH access to server and enable log selector for exim which will help you to generate extra/well defined logs for exim.

    To do this Access WHM as root. Access Service Configuration >> Exim Configuration Editor. Click on Advance Editor.

    Under exim.conf section you will see #!!# cPanel Exim 4 Config
    and you can add following code in the text box.

    Now checking exim logs:

    Above command will grep for current working directory for exim and show the directory path from which email are being sent.

    Mostly if email are sent from script then in exim logs you will see email sent form cpaneluser@serverhostname.tld

    If you see there are multiple email in email queue with name cpaneluser@serverhostname.tld then you can check headers for the message.

    To check email header use command

    In the header section locate for X-PHP-Script: and that will show you the exact script i.e sending email
     
  3. alexmack

    alexmack Member

    Joined:
    Jul 23, 2010
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    I seem to be getting

    " exim -Mvh 1OoLkg-0007fj-Hj
    Failed to open input file for 1OoLkg-0007fj-Hj-H: No such file or directory
    "

    for everyone one i attempt
     
  4. kuldeep_

    kuldeep_ Well-Known Member

    Joined:
    Apr 24, 2010
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    It seems that message ID 1OoLkg-0007fj-Hj was already delivered to recipient and so you are not able to read it.

    But still you can view email subject, check your exim logs carefully
    and you will see T=" " this section contains email subject included into double quote.

    Also check email queue, if there are any other email present then you can use command exim -Mvh Message-ID
     
  5. alexmack

    alexmack Member

    Joined:
    Jul 23, 2010
    Messages:
    22
    Likes Received:
    0
    Trophy Points:
    1
    is there any way to add the php script logging to the exim_main log?
     
  6. kuldeep_

    kuldeep_ Well-Known Member

    Joined:
    Apr 24, 2010
    Messages:
    54
    Likes Received:
    0
    Trophy Points:
    6
    You can try one thing.
    If you have CSF firewall installed then you can edit /etc/csf/csf.conf file and enable a feature LF_SCRIPT_ALERT = "1" and set the email script limit to LF_SCRIPT_LIMIT = "300"

    i.e If more then 300 email are found to be sent from a script then you will receive an alert.
     
Loading...

Share This Page