The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

see which php scripts are sending mail

Discussion in 'Security' started by blogbytes, Feb 28, 2013.

  1. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Hi

    I tried to reply to this thread but it told me its to old.
    http://forums.cpanel.net/f185/see-php-scripts-sending-mail-163345.html

    Is there a way to see which php script is sending mail? The solution in the thread above does not work anymore as I cannot find the exim.conf part in the advanced editor.

    We have one cpanel account that sends out spam username@cpanelaccount.tld
    Is there a way to block that specific mail account from sending mail?

    We have suspended the account for the time being, will that prevent the emails form sending?

    Thanks
     
  2. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    If the sender is outside of the server, and using the username (email address) and it's password to send those emails, then changing the password will stop them.
    And if that is the case, then there is no script in the server sending, but it's someone relaying emails through your server.



    yes it does.
     
  3. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks @quietFinn

    It does not look like it is being sent from an email address. The header looks like this:
    I think it might be a script. The client also has a very old Joomla site hosted.

    Thanks
     
  4. quietFinn

    quietFinn Well-Known Member

    Joined:
    Feb 4, 2006
    Messages:
    998
    Likes Received:
    10
    Trophy Points:
    18
    Location:
    Finland
    cPanel Access Level:
    Root Administrator
    In the mail headers there should be something like this:

    X-PHP-Script: domain.com/path/to/script.php for IPADDRESS

    If there is not check that you have
    WHM-> Server Configuration-> Tweak Settings-> Mail-> Track email origin via X-Source email headers ON
     
  5. georgeb

    georgeb Well-Known Member

    Joined:
    May 23, 2010
    Messages:
    48
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Montreal, QC, Canada
    cPanel Access Level:
    Root Administrator

    You have to enable this in EasyApache before update selecting "MailHeaders" under the PHP Options, and php 5.4 (is integrated) just to add this in php.ini

    Regards,
    George B.
     
  6. NixTree

    NixTree Well-Known Member

    Joined:
    Aug 19, 2010
    Messages:
    387
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Gods Own Country
    cPanel Access Level:
    Root Administrator
    If you are using >PHP 5.3.0 , you have two PHP directives which are very useful to find the source of emails that send via PHP mail() call. Which are

    mail.add_x_header
    mail.log

    You can read more about them at PHP: Runtime Configuration - Manual . This should add extra layer of email logging which let you to track emails so easily :)
     
  7. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks for all the replies.

    I have found the source of the sending and it was indeed a open hole in a Joomla plugin. We found numerous dodgy php files on the users account.

    We changed all their email passwords, the main Cpanel account password. The site is still suspended.
    I would like to unsuspend the account so we can update their website with the latest plugins etc, however, I am worried I missed something and the mails will start sending again.

    Is there anyway I can block a certain email, in this case, cpanelusername@hostname.tld from sending mail at all?
     
  8. arunsv84

    arunsv84 Well-Known Member

    Joined:
    Oct 20, 2008
    Messages:
    373
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    127.0.0.1
    cPanel Access Level:
    Root Administrator
    Hi,

    Enable detailed logging in exim config file and you should be able to trace the exact location of script.

    Backup your exim.conf.

    Open exim.conf in editor and replace the line with the following.

    Save and restart exim.

    Take a look at the following url for more details.

    Trace Spammer in Exim

    Cheers!!!
     
  9. blogbytes

    blogbytes Member

    Joined:
    Jul 11, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Thanks arunsv84 :)
     
Loading...

Share This Page