How can I prevent X-Source and X-PHP-Script email headers?


michaelv8
Asked:
2012-02-06 5:20 pm EST

Hits: 7,377
Hi,
Recently I noticed that all the mails sent via my website include a lot of headers that look like a (potential) security risk to me. You can find the full header below, the tags that concern me are: X-PHP-Script, X-Source, X-Source-Args, X-Source-Dir
These tags include the full path of my home folder, path to php binary etc.

How can I remove/change these headers?

Thanks in advance!

Kind regards,
Michael

X-PHP-Script: www.my-website.com/index.php for 12.34.56.78
From: My Website
Reply-To: My Website
Date: Sun, 05 Feb 2012 11:30:15 +0100
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Message-ID:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ecbiz115.inmotionhosting.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1645 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - ecbiz115.inmotionhosting.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/my_username/public_html/index.php
X-Source-Dir: my-website.com:/public_html

You must login before you can ask a follow up question.

You must login before you can submit an answer.

Best answer chosen by User

0

BradM
Staff
5,388 Points
2012-02-06 5:44 pm EST
Hi michaelv8,

I was aware of those headers, but wasn't exactly sure what or why they were there. After some research, it appears that those headers are added by the server to help document where the email is originating from. For example, if a user's account was compromised and someone was sending large amounts of spam from PHP, you could look at the email headers to determine where on the server the email was originating from.

What is adding the X-Source and X-PHP-Script headers?
If you're using the php mail() function, those headers are automatically added by our server. If you use a class, such as phpMailer, those headers are not actually sent.

Can I disable these headers / what is the solution?
For security purposes, we have enabled these headers to help track down spam originating from our servers. Because of this, the headers will not be toggled on/off on the shared platform. If you are on a VPS or Dedicated server, you can contact our Support Department and request to have this feature disabled for your server.

If you are on the shared environment and are worried about these headers, we suggest that you look into using something other than the php mail() function to send email. If you are using 3rd party software, such as WordPress or Joomla, usually they have an option to change how email is sent from the server (the alternative would be to send email using "SMTP Authentication"). If you are writing the code yourself, you can reference the phpMailer link above to learn more on using the phpMailer class. If you have any questions on how to use it, please feel free to ask!

I hope this helps! Please let us know if we can assist further.

Thanks!
- Brad

You must login before you can post a comment about this answer.

But doesn't phpMailer use the mail() function?
jghomestead
3 Points
2013-03-22 4:29 pm EST
Like this Question?

News / Announcements

WordPress wp-login.php brute force attack
Updated 2014-07-17 06:43 pm EST
Hits: 200975

Related Articles

It looks like there are no related articles.
Would you like to ask a question about this page? If so, click the button below!
Ask a Question

Need more Help?

Search

Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail: support@InMotionHosting.com
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!