Email header x-ppp-vhost

Discussion in 'Installation/Configuration' started by mccharlet, Jan 18, 2017.

  1. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,
    I received a spam (but not tag by spammassassin) and i saw in the header this tag.
    This is very interesting, beacause this is the name of the corrupted website (and with the tag x-php-originating-script, the script to send the email)
    X-PPP-Vhost: lelaxxx.fr
    I tested in my server and i don't have this header.
    How to configure this header ?

    Best regards
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    After a couple minutes of searching I'd guess that's added by /usr/local/psa/handlers/hooks/py-limit-out on some version(s) of plesk panel - nothing to do with ISPConfig. I don't know much of how that "hook" fits in to the "php website sending email" picture, but looks like it hooks into the mail system.

    A quick way to implement that for PHP only would be to specify sendmail_path to point to a custom script you write which adds a similar header. This of course only works for PHP sites.

    If you wanted to implement something in the mail system (ie. of the local web server), you could try to get the uid that the website is running as then deduce which site it was via /etc/passwd, though that might not handle all vhost/alias scenarios 100%. The uid can be determined by mail from PHP scripts if you set mail.add_x_header (in the X-PHP-Originating-Script header), and I believe from the sending at the commandline by looking in the first Received header.

    Note that any sites/scripts that send direct via SMTP will bypass all of this, and you'd have to find other ways to track sites using perl, python, or ruby. But it should help with a lot of php sites using the default mail().
     
    mccharlet likes this.

Share This Page