How can I prevent X-Source and X-PHP-Script email headers?

Avatar
  • Answered
Hi,
Recently I noticed that all the mails sent via my website include a lot of headers that look like a (potential) security risk to me. You can find the full header below, the tags that concern me are: X-PHP-Script, X-Source, X-Source-Args, X-Source-Dir
These tags include the full path of my home folder, path to php binary etc.

How can I remove/change these headers?

Thanks in advance!

Kind regards,
Michael

X-PHP-Script: www.my-website.com/index.php for 12.34.56.78
From: My Website
Reply-To: My Website
Date: Sun, 05 Feb 2012 11:30:15 +0100
X-LibVersion: 3.3.2
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Message-ID:
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ecbiz115.inmotionhosting.com
X-AntiAbuse: Original Domain - gmail.com
X-AntiAbuse: Originator/Caller UID/GID - [1645 32007] / [47 12]
X-AntiAbuse: Sender Address Domain - ecbiz115.inmotionhosting.com
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/my_username/public_html/index.php
X-Source-Dir: my-website.com:/public_html
Avatar
BradM
Hi michaelv8, I was aware of those headers, but wasn't exactly sure what or why they were there. After some research, it appears that those headers are added by the server to help document where the email is originating from. For example, if a user's account was compromised and someone was sending large amounts of spam from PHP, you could look at the email headers to determine where on the server the email was originating from. What is adding the X-Source and X-PHP-Script headers? If you're using the php mail() function, those headers are automatically added by our server. If you use a class, such as phpMailer, those headers are not actually sent. Can I disable these headers / what is the solution? For security purposes, we have enabled these headers to help track down spam originating from our servers. Because of this, the headers will not be toggled on/off on the shared platform. If you are on a VPS or Dedicated server, you can contact our Support Department and request to have this feature disabled for your server. If you are on the shared environment and are worried about these headers, we suggest that you look into using something other than the php mail() function to send email. If you are using 3rd party software, such as WordPress or Joomla, usually they have an option to change how email is sent from the server (the alternative would be to send email using "SMTP Authentication"). If you are writing the code yourself, you can reference the phpMailer link above to learn more on using the phpMailer class. If you have any questions on how to use it, please feel free to ask! I hope this helps! Please let us know if we can assist further. Thanks! - Brad