Re: Does anyone know what generates these email headers?

Wed, 08 Sep 2021 17:36:53 -0700

The originating PHP script header helps people who run shared servers track down the source of problematic mail. The two most common cases are:
- A contact form with poor security and the option to send a copy to the "commenter". Hackers find these and flood them. 


- A completely compromised site with some mailer script buried down in a 
folder that shouldn't have code (typically some image path).



Both give a quick indication of which account needs to be suspended and 
what the best course for remediation should be from there.



In cPanel, the X-OutGoing-Spam-Status header is generated by hosts who 
run SpamAssassin on outbound mail. As it's easily forged it's kind of 
useless on the receiving side (and until a few months back was actually 
scoring 0.2 on incoming) but it's generated by cPanel with no option to 
disable it. It might also serve as a useful diagnostic for hosts trying 
to figure out how the heck an obvious spam message managed to get sent: 
if it's not there, then the message was sent by a nonstandard MTA.


On 2021-09-08 18:40, Bert Van de Poel wrote:

By default any PHP script that's sending an email will contain 
X-PHP-Originating-Script on several Linux distros, even though it's 
not the official default (see 
https://www.php.net/manual/en/mail.configuration.php , one of the 
first Google results). It's a pretty common occurrence to see that 
header in automated emails of all kinds (e.g. registration 
confirmation emails, notifications, login link emails). Alone it's a 
sign of spam nor ham, but combined with other things it can be 
interesting. The others don't ring a bell for me.


Bert

On 8/09/2021 23:27, Loren Wilton wrote:

I'm getting a lot of mails with some very curious headers in them.

I tried searching with Google, and it has never heard of many of 
these strings.

Does anyone recognize what might be generating these headers?

X-EOPTenantAttributedMessage
X-EmailAdvisor
X-Mxtb-Transitionid
X-MG-Subscriptionuid
X-PHP-Originating-Script
X-EmailTransmit-type
CMM-X-SID-Result
CMM-X-AUTH-Result
CMM-X-Message-Status
X-OutGoing-Spam-Status
X-EmailTransmit-aid
X-rext

Thanks!

       Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com




--
For SpamAsassin Users List























					Reply via email to