How can I enable the X-PHP-Originating-Script header to track what PHP scripts are sending out from the server using the PHP mail function?

In order for PHP to log what scripts are sending out from the server you must first set mail.add_x_header = On in all the php.ini files that are being used by the server.

1. Enable the mail.add_x_header in all of your PHP.ini files:

// turn on for the OS default php version if you have the base PHP packages installed
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /etc/php.ini

// turn on for all of the Plesk PHP versions
sed -i -e "s/^mail.add_x_header = Off/mail.add_x_header = On/" /opt/plesk/php/*/etc/php.ini

// restart any PHP FPM instances
systemctl restart plesk-php73-fpm
systemctl restart plesk-php74-fpm
systemctl restart plesk-php80-fpm

2. Go to Warden -> Settings -> Filter Settings and change the Log template option from short to verbose.

3. Now you should see the X-PHP-Originating-Script header logged when clicking on the plus icon for a message entry that was sent out using PHP in the message log. It will log the UID of the user that ran the script and the script name.

Looking up the User from the X-PHP-Originating-Script Header

The X-PHP-Originating-Script header consists of the UID of the user and the script name:

X-PHP-Originating-Script: 10000:class.phpmailer.php

To find the vhost directory from a UID (replace the UID with the user ID that was logged):

grep UID /etc/passwd

5. To find the full path to a script (replace the path with the vhost directory from the UID and the php script name with the name of the script that was logged):

find /var/www/vhosts/example.com/httpdocs -type f -name "class.phpmailer.php"

Viewing the X-PHP-Originating-Script Header from the Queue

When viewing a message in the Warden queue, the PHP tab will lookup the local user information based off the X-PHP-Originating-Script header (if it exists) and search the vhost files for any matching script files with the same name.

Queue PHP

  • PHP, scripts, X-PHP-Originating-Script
  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How can I change the interface language of the extension?

You can change the interface language under Settings -> Application Settings -> Locale...

How can I disable admin email notifications in Amavis?

Amavis has different default options for controlling where virus, spam, banned file attachments,...

How can I whitelist or blacklist a mail server from greylisting?

To Whitelist a Mail Server From Greylisting Navigate to Warden -> Settings ->...

How can I enable third party anti-virus signatures within Warden to improve the ClamAV detection rate?

Warden supports enabling third party anti-virus signatures to improve the detection rate. These...

How can I setup a local caching DNS resolver to speed up DNS queries used by Amavis?

Run the following command to check if local DNS caching is enabled: host -tTXT...