Re: Does anyone know what generates these email headers?
> > X-PHP-Originating-Script: 48:class.phpmailer.php > > Yes, that's saying that the mail was sent from a call in class.mailer.php (I think on line 48). > PhpMailer is a very common email construction and sending tool. Argh... 48 is the UID of the process. RedHat linux types often have apache as UID 48, which would make sense. > Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: Does anyone know what generates these email headers?
> > The originating PHP script header helps people who run shared servers track down the source of problematic mail. The two most common cases are: > > Does this look valid? > > X-PHP-Originating-Script: 48:class.phpmailer.php Yes, that's saying that the mail was sent from a call in class.mailer.php (I think on line 48). PhpMailer is a very common email construction and sending tool. Anthony -- www.fonant.com - Quality web sites Tel. 01903 867 810 Fonant Ltd is registered in England and Wales, company No. 7006596 Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 1QR
Re: Does anyone know what generates these email headers?
On Wed, Sep 08, 2021 at 06:17:49PM -0700, Loren Wilton wrote: > > The originating PHP script header helps people who run shared servers > > track down the source of problematic mail. The two most common cases are: > > Does this look valid? > > X-PHP-Originating-Script: 48:class.phpmailer.php > > Just looking at a dozen or so of the smpams I've gotten in the last couple > days that match this pattern, they all have an x-originating-spam-status > of -2.9, which makes me a little suspicious that that header is faked. Maybe > the others are too. > class.phpmailer.php means the email has been sent by PHPMailer, one of the most popular classes used to send emails using Php. 48 is the uid of the user that sent that email, one more info useful to track down compromized account on shared hosting. As-is it's not a spam nor a ham sign. If x-originating-spam-status has always the same value it's suspect anyway. Giovanni signature.asc Description: PGP signature
Re: Does anyone know what generates these email headers?
The originating PHP script header helps people who run shared servers track down the source of problematic mail. The two most common cases are: Does this look valid? X-PHP-Originating-Script: 48:class.phpmailer.php Just looking at a dozen or so of the smpams I've gotten in the last couple days that match this pattern, they all have an x-originating-spam-status of -2.9, which makes me a little suspicious that that header is faked. Maybe the others are too. Loren --- This email has been checked for viruses by AVG. https://www.avg.com
Re: Does anyone know what generates these email headers?
The originating PHP script header helps people who run shared servers track down the source of problematic mail. The two most common cases are: - A contact form with poor security and the option to send a copy to the "commenter". Hackers find these and flood them. - A completely compromised site with some mailer script buried down in a folder that shouldn't have code (typically some image path). Both give a quick indication of which account needs to be suspended and what the best course for remediation should be from there. In cPanel, the X-OutGoing-Spam-Status header is generated by hosts who run SpamAssassin on outbound mail. As it's easily forged it's kind of useless on the receiving side (and until a few months back was actually scoring 0.2 on incoming) but it's generated by cPanel with no option to disable it. It might also serve as a useful diagnostic for hosts trying to figure out how the heck an obvious spam message managed to get sent: if it's not there, then the message was sent by a nonstandard MTA. On 2021-09-08 18:40, Bert Van de Poel wrote: By default any PHP script that's sending an email will contain X-PHP-Originating-Script on several Linux distros, even though it's not the official default (see https://www.php.net/manual/en/mail.configuration.php , one of the first Google results). It's a pretty common occurrence to see that header in automated emails of all kinds (e.g. registration confirmation emails, notifications, login link emails). Alone it's a sign of spam nor ham, but combined with other things it can be interesting. The others don't ring a bell for me. Bert On 8/09/2021 23:27, Loren Wilton wrote: I'm getting a lot of mails with some very curious headers in them. I tried searching with Google, and it has never heard of many of these strings. Does anyone recognize what might be generating these headers? X-EOPTenantAttributedMessage X-EmailAdvisor X-Mxtb-Transitionid X-MG-Subscriptionuid X-PHP-Originating-Script X-EmailTransmit-type CMM-X-SID-Result CMM-X-AUTH-Result CMM-X-Message-Status X-OutGoing-Spam-Status X-EmailTransmit-aid X-rext Thanks! Loren --- This email has been checked for viruses by AVG. https://www.avg.com -- For SpamAsassin Users List
Re: Does anyone know what generates these email headers?
By default any PHP script that's sending an email will contain X-PHP-Originating-Script on several Linux distros, even though it's not the official default (see https://www.php.net/manual/en/mail.configuration.php , one of the first Google results). It's a pretty common occurrence to see that header in automated emails of all kinds (e.g. registration confirmation emails, notifications, login link emails). Alone it's a sign of spam nor ham, but combined with other things it can be interesting. The others don't ring a bell for me. Bert On 8/09/2021 23:27, Loren Wilton wrote: I'm getting a lot of mails with some very curious headers in them. I tried searching with Google, and it has never heard of many of these strings. Does anyone recognize what might be generating these headers? X-EOPTenantAttributedMessage X-EmailAdvisor X-Mxtb-Transitionid X-MG-Subscriptionuid X-PHP-Originating-Script X-EmailTransmit-type CMM-X-SID-Result CMM-X-AUTH-Result CMM-X-Message-Status X-OutGoing-Spam-Status X-EmailTransmit-aid X-rext Thanks! Loren --- This email has been checked for viruses by AVG. https://www.avg.com
Does anyone know what generates these email headers?
I'm getting a lot of mails with some very curious headers in them. I tried searching with Google, and it has never heard of many of these strings. Does anyone recognize what might be generating these headers? X-EOPTenantAttributedMessage X-EmailAdvisor X-Mxtb-Transitionid X-MG-Subscriptionuid X-PHP-Originating-Script X-EmailTransmit-type CMM-X-SID-Result CMM-X-AUTH-Result CMM-X-Message-Status X-OutGoing-Spam-Status X-EmailTransmit-aid X-rext Thanks! Loren --- This email has been checked for viruses by AVG. https://www.avg.com