HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Installation/Configuration (
-   -   users getting spam emails from server (

mattltm 2nd July 2013 07:40

users getting spam emails from server
Some of my users have started receiving spam emails that look like they are coming from the mail server. They are addressed from someone@servername.mydomain.tld

Is there anything I can do to stop this?

sjau 2nd July 2013 10:36

you could add headers to check where it's sent from... it's probably a some php script that's getting abused.

mattltm 2nd July 2013 16:42

Add headers?

Do you mean check the headers on the email?

This is the email header:


Return-Path: <>
From: <HM@myserver.mydomain.tld>
To: <info@userdomain.tld>
Subject: ***SPAM***Tax Refund New Message Alert!
Date: Tue, 2 Jul 2013 03:32:01 +0100
Message-ID: <>
MIME-Version: 1.0
Content-Type: multipart/mixed;
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQFXOcqxYQyb3TjOkfCwYK4CVpWOYQ==

sjau 2nd July 2013 16:47

you can tell php to add a header that shows the script path of a php script that sent the email.

mattltm 2nd July 2013 16:48

Oh, right.

Do you have a link where I can find out how to do that?

sjau 2nd July 2013 16:49


Originally Posted by mattltm (Post 299330)
Oh, right.

Do you have a link where I can find out how to do that?

Google knows

mattltm 2nd July 2013 16:56

Lol. Thats great :rolleyes:

For anyone else who checks this thread and wants to know without wondering what google search string to use (a lot of results are for adding additional headers using the mail() function), it's the following line in your php.ini file:


;Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
mail.add_x_header = On

Mine is set to "On" so I guess this email is not coming from a script being abused on my server as it does not contain the "X-PHP-Originating-Script" string in the header.

Any other guesses as to where it's coming from and how to stop it?

sjau 2nd July 2013 17:03

Well, my guess was an outdated Joomla installation... had one of those being abused a while back :)

mattltm 2nd July 2013 17:23

Good guess.

I have no idea how it's happening but it is getting some users very confused as they think it's coming from me!

till 2nd July 2013 18:06

Apache mod_security is a good way to protect outdated cms systems from being abused as it tests each http request against a set of generic exploit rules.

All times are GMT +2. The time now is 12:20.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.