InMotion Hosting Support Center

How can I prevent X-Source and X-PHP-Script email headers?

2012-02-06 5:20 pm EST

Hits: 12,943
Recently I noticed that all the mails sent via my website include a lot of headers that look like a (potential) security risk to me. You can find the full header below, the tags that concern me are: X-PHP-Script, X-Source, X-Source-Args, X-Source-Dir
These tags include the full path of my home folder, path to php binary etc.

How can I remove/change these headers?

Thanks in advance!

Kind regards,

X-PHP-Script: for
From: My Website
Reply-To: My Website
Date: Sun, 05 Feb 2012 11:30:15 +0100
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname -
X-AntiAbuse: Original Domain -
X-AntiAbuse: Originator/Caller UID/GID - [1645 32007] / [47 12]
X-AntiAbuse: Sender Address Domain -
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/my_username/public_html/index.php

You must login before you can ask a follow up question.

You must login before you can submit an answer.

Best answer chosen by User


5,399 Points
2012-02-06 5:44 pm EST
Hi michaelv8,

I was aware of those headers, but wasn't exactly sure what or why they were there. After some research, it appears that those headers are added by the server to help document where the email is originating from. For example, if a user's account was compromised and someone was sending large amounts of spam from PHP, you could look at the email headers to determine where on the server the email was originating from.

<strong>What is adding the X-Source and X-PHP-Script headers?</strong>
If you're using the php mail() function, those headers are automatically added by our server. If you use a class, such as <a href='' target='_blank'>phpMailer</a>, those headers are not actually sent.

<strong>Can I disable these headers / what is the solution?</strong>
For security purposes, we have enabled these headers to help track down spam originating from our servers. Because of this, the headers will not be toggled on/off on the shared platform. If you are on a VPS or Dedicated server, you can <a href='' target='_blank'>contact our Support Department</a> and request to have this feature disabled for your server.

If you are on the shared environment and are worried about these headers, we suggest that you look into using something other than the php mail() function to send email. If you are using 3rd party software, such as WordPress or Joomla, usually they have an option to change how email is sent from the server (the alternative would be to send email using "SMTP Authentication"). If you are writing the code yourself, you can reference the phpMailer link above to learn more on using the phpMailer class. If you have any questions on how to use it, please feel free to ask!

I hope this helps! Please let us know if we can assist further.

- Brad

You must login before you can post a comment about this answer.

But doesn't phpMailer use the mail() function?
3 Points
2013-03-22 4:29 pm EST



2015-06-22 5:12 am EST

I have 100% solution for disable X-AntiAbuse and X-Get-Message-Sender.

Step 1: Login as ROOT with PuTTY
Step 2: type nano /etc/


Step 3: Press Enter, After open file. Click CTRL+W for search.


Step 4: Type "Abuse" and press enter to search.
Step 5: Then you can see X-AntiAbuse Headers like below..


Step 6: Just add a line above "my $headers = " like bellow and change old "my $headers = .." to "my $headers_clear = .."

Change and Add like below

my $headers = "";
my $headers_clear =


Step 7: After done, above like, Press CTRL+X for save and Press "Y" for Confirm after finally press "Enter" for Save and Exit.

Now, Try a Test Email. Where No X-AntiAbuse Headers.

Result like:

You must login before you can post a comment about this answer.

Isn't that gonna cause some email provider/recipients to reject your email due to the "anti-spam" headers being missing? I understand about not wanting the "X-Source-Args" and other items that list private information.
25 Points
2016-04-06 12:22 pm EST
Hello Kleehsupport,

I've never heard of emails being rejected because that information was missing. There are other values such as SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) , or PTR/ RDNS (Pointer/reverse DNS) are used to help stop Spoofing and Spamming. Of these, I've only seen mail refused due to bad or missing PTR or rDNS values. Bear in mind that there are some email servers and administrators who require these values, in order for mail to be sent. It will vary from organization to organization.

I hope this helps to answer your question, please let us know if you require any further assistance.

Arnel C.
40,745 Points
2016-04-06 1:32 pm EST
Like this Question?

Support Center Login

Our Login page has moved, Click the button below to be taken to the login page.

Social Media Login

Social Login Joomla

Need more Help?


Ask the Community!

Get help with your questions from our community of like-minded hosting users and InMotion Hosting Staff.

Current Customers

Chat: Click to Chat Now E-mail:
Call: 888-321-HOST (4678) Ticket: Submit a Support Ticket

Not a Customer?

Get web hosting from a company that is here to help. Sign up today!