How to track mail from PHP when run as nobody?

Problem:

One of the biggest problems with shared hosting is that PHP runs as the web server user rather than the user assigned in the virtualhost (unless your running PHP as CGI). This is a huge problem because when a site is compromised and a attacker is using your server to spam it can be very difficult to track down what site/script/page is causing the problem.

Solution:

The solution is a patch located at http://choon.net/php-mail-header.php. It modifies php’s mail.c file so that when the mail function is called from the web that it stores the following information.

X-PHP-Script: www.example.com/~user/testapp/send-mail.php for 10.0.0.1

in the headers so that when a spam report does come in, you can easily track where it came from.

Below is a how to for cPanel servers that shows how you can implement this patch.

Run the following as root:

PHP Code:
mkdir -p /var/cpanel/buildapache/scripts
cat >> phppost << EOF
#AUTO PATCH FROM http://choon.net/php-mail-header.php
PHPVER=`find -type d -iname "php-*"|sed "s/.///g"`
wget http://choon.net/opensource/php/$PHPVER-mail-header.patch
patch -p0 < $PHPVER-mail-header.patch
EOF

Once that’s done, run

PHP Code:
/scripts/easyapache

like you normally would.