Main menu

Find spam sending PHP Scripts


Many times in development server there might be an malicious PHP script which send spams. We can track maillogs for details information like which is sender, what domain is used and so on. But tracking which script is sending these email is pretty tricky some times. There is a way we can log PHP scripts which are sending emails and can find spam sending PHP Scripts

You can check your mail logs and find which domain is used for spamming

[]#cat /var/log/maillog
Aug  8 19:01:07 myserver postfix/pickup[2324]: A58262E366: uid=48 from=<apache>
Aug  8 19:01:07 myserver postfix/cleanup[2674]: A58262E366: message-id=<20140808190107.A58262E366@myserver.localdomain>
Aug  8 19:01:07 myserver postfix/qmgr[10771]: A58262E366: from=<apache@myserver.localdomain>, size=1239, nrcpt=1 (queue act
Aug  8 19:01:08 myserver postfix/smtp[2676]: A58262E366: to=<>,[
7]:25, delay=0.64, delays=0.05/0.01/0.29/0.29, dsn=2.0.0, status=sent (250  <20140808190107.A58262E366@myserver.localdomain>
 Queued mail for delivery)

Let’s find spam sending PHP Scripts and  enable mail logging in your PHP.

mail.add_x_header = On
mail.log = /var/log/phpmail.log

If someone send email through PHP an log entry will be created in log file. Let’s check you PHP mail logs and find the script.

[]#cat /etc/log/phpmail.log
mail() on [/var/www/html/mail.php:22]: To: -- Headers: From:
mail() on [/var/www/html/mail.php:193]: To: -- Headers: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: 8Bit X-Mailer: Drupal Errors-To: Return-Path: Sender: From:

For more information about PHP mail configuration your can visit