Updated MARCH 2025: How to Track PHP Mail Function Usage on Shared Hosting

Problem: Tracking Spam Emails on Shared Hosting

One of the biggest challenges with shared hosting is that PHP runs under the web server user instead of the actual account owner (unless PHP is running as CGI or using suPHP).

This creates a significant problem when a website is compromised and used for spamming. Since all emails originate from the same server user, it becomes difficult to track down which website, script, or page is responsible.

Solution: Add PHP Mail Headers for Better Tracking

A simple solution to this issue is applying a patch that modifies PHP’s mail.c file. This patch adds an X-PHP-Script header, which records the exact script location from which an email originates.

For example, when an email is sent, the header will contain:

X-PHP-Script: www.example.com/~user/testapp/send-mail.php for 10.0.0.1

This information allows you to quickly track down spam sources and take necessary action.

How to Apply the PHP Mail Header Patch on cPanel Servers

Follow these steps to implement the patch on a cPanel server:

Step 1: Create a Patch Script

Run the following commands as the root user:

mkdir -p /var/cpanel/buildapache/scripts
cat >> /var/cpanel/buildapache/scripts/phppost << EOF
#AUTO PATCH FROM http://choon.net/php-mail-header.php
PHPVER=`find -type d -iname "php-*"|sed "s/.///g"`
wget http://choon.net/opensource/php/$PHPVER-mail-header.patch
patch -p0 < $PHPVER-mail-header.patch
EOF

Step 2: Rebuild Apache with EasyApache

Once the patch script is created, rebuild Apache using EasyApache:

/scripts/easyapache

This will compile PHP with the new mail header patch, allowing you to track the source of emails sent via PHP’s mail function.

Additional Security Tips

• Enable suPHP: Run PHP scripts under individual user accounts instead of the shared web server user.
• Use SMTP Authentication: Prevent unauthorized email sending by requiring authentication for outgoing mail.
• Monitor Email Logs: Regularly check /var/log/exim_mainlog for unusual email activity.
• Limit PHP Mail Usage: Restrict the number of emails a single account can send per hour in cPanel’s Exim configuration.

Need Secure Web Hosting? Choose UnderHost!

If you’re running a website on shared hosting and want better security, consider switching to a Cloud VPS or Dedicated Server for full control over mail functions and security patches.

Get expert support anytime at UnderHost Customer Panel.