In order for PHP to log what scripts are sending out from the server you must first set mail.add_x_header = On in all the php.ini files that are being used by the server.
1. Enable the mail.add_x_header in all of your PHP.ini files:
// turn on for the OS default php version if you have the base PHP packages installed
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /etc/php.ini
// turn on for all of the Plesk PHP versions
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /opt/plesk/php/*/etc/php.ini
// restart any PHP FPM instances
systemctl restart plesk-php73-fpm
systemctl restart plesk-php74-fpm
systemctl restart plesk-php80-fpm
2. Go to Warden -> Settings -> Filter Settings and change the Log template option from short to verbose.
3. Now you should see the X-PHP-Originating-Script header logged when clicking on the plus icon for a message entry that was sent out using PHP in the message log. It will log the UID of the user that ran the script and the script name.
Looking up the User from the X-PHP-Originating-Script Header
The X-PHP-Originating-Script header consists of the UID of the user and the script name:
X-PHP-Originating-Script: 10000:class.phpmailer.php
To find the vhost directory from a UID (replace the UID with the user ID that was logged):
grep UID /etc/passwd
5. To find the full path to a script (replace the path with the vhost directory from the UID and the php script name with the name of the script that was logged):
find /var/www/vhosts/example.com/httpdocs -type f -name "class.phpmailer.php"
Viewing the X-PHP-Originating-Script Header from the Queue
When viewing a message in the Warden queue, the PHP tab will lookup the local user information based off the X-PHP-Originating-Script header (if it exists) and search the vhost files for any matching script files with the same name.