see which php scripts are sending mail

blogbytes

Member
Jul 11, 2011
13
0
51
Hi

I tried to reply to this thread but it told me its to old.
http://forums.cpanel.net/f185/see-php-scripts-sending-mail-163345.html

Is there a way to see which php script is sending mail? The solution in the thread above does not work anymore as I cannot find the exim.conf part in the advanced editor.

We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?

We have suspended the account for the time being, will that prevent the emails form sending?

Thanks
 

quietFinn

Well-Known Member
Feb 4, 2006
1,072
32
178
Finland
cPanel Access Level
Root Administrator
We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?
If the sender is outside of the server, and using the username (email address) and it's password to send those emails, then changing the password will stop them.
And if that is the case, then there is no script in the server sending, but it's someone relaying emails through your server.



We have suspended the account for the time being, will that prevent the emails form sending?
yes it does.
 

blogbytes

Member
Jul 11, 2011
13
0
51
If the sender is outside of the server, and using the username (email address) and it's password to send those emails, then changing the password will stop them.
And if that is the case, then there is no script in the server sending, but it's someone relaying emails through your server

yes it does.
Thanks @quietFinn

It does not look like it is being sent from an email address. The header looks like this:
Received: from accountusername by serverhostname with local (Exim 4.80)
(envelope-from <[email protected]>)
id 1UB34E-0000p5-BF
for [email protected]; Thu, 28 Feb 2013 14:58:34 +0200
I think it might be a script. The client also has a very old Joomla site hosted.

Thanks
 

quietFinn

Well-Known Member
Feb 4, 2006
1,072
32
178
Finland
cPanel Access Level
Root Administrator
In the mail headers there should be something like this:

X-PHP-Script: domain.com/path/to/script.php for IPADDRESS

If there is not check that you have
WHM-> Server Configuration-> Tweak Settings-> Mail-> Track email origin via X-Source email headers ON
 

NixTree

Well-Known Member
Aug 19, 2010
412
4
143
Gods Own Country
cPanel Access Level
Root Administrator
Twitter
Hi

I tried to reply to this thread but it told me its to old.
http://forums.cpanel.net/f185/see-php-scripts-sending-mail-163345.html

Is there a way to see which php script is sending mail? The solution in the thread above does not work anymore as I cannot find the exim.conf part in the advanced editor.

We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?

We have suspended the account for the time being, will that prevent the emails form sending?

Thanks
If you are using >PHP 5.3.0 , you have two PHP directives which are very useful to find the source of emails that send via PHP mail() call. Which are

mail.add_x_header
mail.log

You can read more about them at PHP: Runtime Configuration - Manual . This should add extra layer of email logging which let you to track emails so easily :)
 

blogbytes

Member
Jul 11, 2011
13
0
51
Thanks for all the replies.

I have found the source of the sending and it was indeed a open hole in a Joomla plugin. We found numerous dodgy php files on the users account.

We changed all their email passwords, the main Cpanel account password. The site is still suspended.
I would like to unsuspend the account so we can update their website with the latest plugins etc, however, I am worried I missed something and the mails will start sending again.

Is there anyway I can block a certain email, in this case, [email protected] from sending mail at all?
 

arunsv84

Well-Known Member
Oct 20, 2008
373
1
68
127.0.0.1
cPanel Access Level
Root Administrator
Hi,

Enable detailed logging in exim config file and you should be able to trace the exact location of script.

Backup your exim.conf.

Open exim.conf in editor and replace the line with the following.

log_selector = +all
Save and restart exim.

Take a look at the following url for more details.

<Link Removed No longer Valid>

Cheers!!!
 
Last edited by a moderator: