HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   users getting spam emails from server (

mattltm 2nd July 2013 08:40

users getting spam emails from server
Some of my users have started receiving spam emails that look like they are coming from the mail server. They are addressed from someone@servername.mydomain.tld

Is there anything I can do to stop this?

sjau 2nd July 2013 11:36

you could add headers to check where it's sent from... it's probably a some php script that's getting abused.

mattltm 2nd July 2013 17:42

Add headers?

Do you mean check the headers on the email?

This is the email header:


Return-Path: <>
From: <HM@myserver.mydomain.tld>
To: <info@userdomain.tld>
Subject: ***SPAM***Tax Refund New Message Alert!
Date: Tue, 2 Jul 2013 03:32:01 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFXOcqxYQyb3TjOkfCwYK4CVpWOYQ==

sjau 2nd July 2013 17:47

you can tell php to add a header that shows the script path of a php script that sent the email.

mattltm 2nd July 2013 17:48

Oh, right.

Do you have a link where I can find out how to do that?

sjau 2nd July 2013 17:49


Originally Posted by mattltm (Post 299330)
Oh, right.

Do you have a link where I can find out how to do that?

Google knows

mattltm 2nd July 2013 17:56

Lol. Thats great :rolleyes:

For anyone else who checks this thread and wants to know without wondering what google search string to use (a lot of results are for adding additional headers using the mail() function), it's the following line in your php.ini file:


;Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
mail.add_x_header = On

Mine is set to "On" so I guess this email is not coming from a script being abused on my server as it does not contain the "X-PHP-Originating-Script" string in the header.

Any other guesses as to where it's coming from and how to stop it?

sjau 2nd July 2013 18:03

Well, my guess was an outdated Joomla installation... had one of those being abused a while back :)

mattltm 2nd July 2013 18:23

Good guess.

I have no idea how it's happening but it is getting some users very confused as they think it's coming from me!

till 2nd July 2013 19:06

Apache mod_security is a good way to protect outdated cms systems from being abused as it tests each http request against a set of generic exploit rules.

All times are GMT +2. The time now is 03:28.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.