How can I enable the X-PHP-Originating-Script header to track what PHP scripts are sending out from the server using the PHP mail function?

In order for PHP to log what scripts are sending out from the server you must first set mail.add_x_header = On in all the php.ini files that are being used by the server.

1. Enable the mail.add_x_header in all of your PHP.ini files:

// turn on for the OS default php version if you have the base PHP packages installed
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /etc/php.ini

// turn on for all of the Plesk PHP versions
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /opt/plesk/php/*/etc/php.ini

// restart any PHP FPM instances
systemctl restart plesk-php73-fpm
systemctl restart plesk-php74-fpm
systemctl restart plesk-php80-fpm

2. Go to Warden -> Settings -> Filter Settings and change the Log template option from short to verbose.

3. Now you should see the X-PHP-Originating-Script header logged when clicking on the plus icon for a message entry that was sent out using PHP in the message log. It will log the UID of the user that ran the script and the script name.

Looking up the User from the X-PHP-Originating-Script Header

The X-PHP-Originating-Script header consists of the UID of the user and the script name:

X-PHP-Originating-Script: 10000:class.phpmailer.php

To find the vhost directory from a UID (replace the UID with the user ID that was logged):

grep UID /etc/passwd

5. To find the full path to a script (replace the path with the vhost directory from the UID and the php script name with the name of the script that was logged):

find /var/www/vhosts/ -type f -name "class.phpmailer.php"

Viewing the X-PHP-Originating-Script Header from the Queue

When viewing a message in the Warden queue, the PHP tab will lookup the local user information based off the X-PHP-Originating-Script header (if it exists) and search the vhost files for any matching script files with the same name.

Queue PHP

  • PHP, scripts, X-PHP-Originating-Script
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How can I change the interface language of the extension?

You can change the interface language under Settings -> Application Settings -> Locale...

Why isn't autolearning working for me (autolearn=no) ?

Lots of people seem to be confused by the "autolearn=no" statement in the default X-Spam-Status...

How can I disable admin email notifications in Amavis?

Amavis has different default options for controlling where virus, spam, banned file attachments,...

Where are the configuration files for Warden located?

Centos/RHEL/CloudLinux/AlmaLinux Configuration files: // amavis (Content Filter Settings)...

How can I override the score for a specific rule in Warden?

To Override a Rule Score Navigate to Warden -> Rules -> Click on Add then select the...