see which php scripts are sending mail

[blogbytes]

Hi

I tried to reply to this thread but it told me its to old.
http://forums.cpanel.net/f185/see-php-scripts-sending-mail-163345.html

Is there a way to see which php script is sending mail? The solution in the thread above does not work anymore as I cannot find the exim.conf part in the advanced editor.

We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?

We have suspended the account for the time being, will that prevent the emails form sending?

Thanks

 

[quietFinn]

We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?

If the sender is outside of the server, and using the username (email address) and it's password to send those emails, then changing the password will stop them.
And if that is the case, then there is no script in the server sending, but it's someone relaying emails through your server.

We have suspended the account for the time being, will that prevent the emails form sending?

yes it does.

 

[blogbytes]

If the sender is outside of the server, and using the username (email address) and it's password to send those emails, then changing the password will stop them.
And if that is the case, then there is no script in the server sending, but it's someone relaying emails through your server

yes it does.

Thanks @quietFinn

It does not look like it is being sent from an email address. The header looks like this:

Received: from accountusername by serverhostname with local (Exim 4.80)
(envelope-from <[email protected]>)
id 1UB34E-0000p5-BF
for [email protected]; Thu, 28 Feb 2013 14:58:34 +0200

I think it might be a script. The client also has a very old Joomla site hosted.

Thanks

 

[quietFinn]

In the mail headers there should be something like this:

X-PHP-Script: domain.com/path/to/script.php for IPADDRESS

If there is not check that you have
WHM-> Server Configuration-> Tweak Settings-> Mail-> Track email origin via X-Source email headers ON

 

[georgeb]

In the mail headers there should be something like this:

X-PHP-Script: domain.com/path/to/script.php for IPADDRESS

You have to enable this in EasyApache before update selecting "MailHeaders" under the PHP Options, and php 5.4 (is integrated) just to add this in php.ini

Regards,
George B.

 

[NixTree]

Hi

I tried to reply to this thread but it told me its to old.
http://forums.cpanel.net/f185/see-php-scripts-sending-mail-163345.html

Is there a way to see which php script is sending mail? The solution in the thread above does not work anymore as I cannot find the exim.conf part in the advanced editor.

We have one cpanel account that sends out spam [email protected]
Is there a way to block that specific mail account from sending mail?

We have suspended the account for the time being, will that prevent the emails form sending?

Thanks

If you are using >PHP 5.3.0 , you have two PHP directives which are very useful to find the source of emails that send via PHP mail() call. Which are

mail.add_x_header
mail.log

You can read more about them at PHP: Runtime Configuration - Manual . This should add extra layer of email logging which let you to track emails so easily

 

[blogbytes]

Thanks for all the replies.

I have found the source of the sending and it was indeed a open hole in a Joomla plugin. We found numerous dodgy php files on the users account.

We changed all their email passwords, the main Cpanel account password. The site is still suspended.
I would like to unsuspend the account so we can update their website with the latest plugins etc, however, I am worried I missed something and the mails will start sending again.

Is there anyway I can block a certain email, in this case, [email protected] from sending mail at all?

 

[arunsv84]

Hi,

Enable detailed logging in exim config file and you should be able to trace the exact location of script.

Backup your exim.conf.

Open exim.conf in editor and replace the line with the following.

log_selector = +all

Save and restart exim.

Take a look at the following url for more details.

<Link Removed No longer Valid>

Cheers!!!

 

[blogbytes]

Hi,

Enable detailed logging in exim config file and you should be able to trace the exact location of script.

Backup your exim.conf.

Open exim.conf in editor and replace the line with the following.



Save and restart exim.

Take a look at the following url for more details.

Trace Spammer in Exim

Cheers!!!

Thanks arunsv84