You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Loren Wilton <lw...@earthlink.net> on 2021/09/08 21:27:24 UTC

Does anyone know what generates these email headers?

I'm getting a lot of mails with some very curious headers in them.
I tried searching with Google, and it has never heard of many of these 
strings.
Does anyone recognize what might be generating these headers?

X-EOPTenantAttributedMessage
X-EmailAdvisor
X-Mxtb-Transitionid
X-MG-Subscriptionuid
X-PHP-Originating-Script
X-EmailTransmit-type
CMM-X-SID-Result
CMM-X-AUTH-Result
CMM-X-Message-Status
X-OutGoing-Spam-Status
X-EmailTransmit-aid
X-rext

Thanks!

        Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com

Re: Does anyone know what generates these email headers?

Posted by Anthony Cartmell <li...@fonant.com>.

 > > X-PHP-Originating-Script: 48:class.phpmailer.php
 >
 > Yes, that's saying that the mail was sent from a call in 
class.mailer.php (I think on line 48).
 > PhpMailer is a very common email construction and sending tool.


Argh... 48 is the UID of the process. RedHat linux types often have apache 
as UID 48, which would make sense.
 > Anthony
-- 
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 
1QR

Re: Does anyone know what generates these email headers?

Posted by Anthony Cartmell <li...@fonant.com>.

 > > The originating PHP script header helps people who run shared servers 
track down the source of problematic mail. The two most common cases are:
 >
 > Does this look valid?
 >
 > X-PHP-Originating-Script: 48:class.phpmailer.php

Yes, that's saying that the mail was sent from a call in class.mailer.php 
(I think on line 48).
PhpMailer is a very common email construction and sending tool.

Anthony
-- 
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11 
1QR

Re: Does anyone know what generates these email headers?

Posted by Giovanni Bechis <gi...@paclan.it>.

On Wed, Sep 08, 2021 at 06:17:49PM -0700, Loren Wilton wrote:
> > The originating PHP script header helps people who run shared servers 
> > track down the source of problematic mail. The two most common cases are:
> 
> Does this look valid?
> 
>     X-PHP-Originating-Script: 48:class.phpmailer.php
> 
> Just looking at a dozen or so of the smpams I've gotten in the last couple 
> days that match this pattern, they all have an x-originating-spam-status 
> of -2.9, which makes me a little suspicious that that header is faked. Maybe 
> the others are too.
> 
class.phpmailer.php means the email has been sent by PHPMailer, one of
the most popular classes used to send emails using Php.
48 is the uid of the user that sent that email, one more info useful to
track down compromized account on shared hosting.
As-is it's not a spam nor a ham sign.

If x-originating-spam-status has always the same value it's suspect
anyway.

 Giovanni

Re: Does anyone know what generates these email headers?

Posted by Loren Wilton <lw...@earthlink.net>.

> The originating PHP script header helps people who run shared servers 
> track down the source of problematic mail. The two most common cases are:

Does this look valid?

    X-PHP-Originating-Script: 48:class.phpmailer.php

Just looking at a dozen or so of the smpams I've gotten in the last couple 
days that match this pattern, they all have an x-originating-spam-status 
of -2.9, which makes me a little suspicious that that header is faked. Maybe 
the others are too.

        Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com

Re: Does anyone know what generates these email headers?

Posted by Alan <sp...@ambitonline.com>.

The originating PHP script header helps people who run shared servers 
track down the source of problematic mail. The two most common cases are:

- A contact form with poor security and the option to send a copy to the 
"commenter". Hackers find these and flood them.

- A completely compromised site with some mailer script buried down in a 
folder that shouldn't have code (typically some image path).

Both give a quick indication of which account needs to be suspended and 
what the best course for remediation should be from there.

In cPanel, the X-OutGoing-Spam-Status header is generated by hosts who 
run SpamAssassin on outbound mail. As it's easily forged it's kind of 
useless on the receiving side (and until a few months back was actually 
scoring 0.2 on incoming) but it's generated by cPanel with no option to 
disable it. It might also serve as a useful diagnostic for hosts trying 
to figure out how the heck an obvious spam message managed to get sent: 
if it's not there, then the message was sent by a nonstandard MTA.

On 2021-09-08 18:40, Bert Van de Poel wrote:
> By default any PHP script that's sending an email will contain 
> X-PHP-Originating-Script on several Linux distros, even though it's 
> not the official default (see 
> https://www.php.net/manual/en/mail.configuration.php , one of the 
> first Google results). It's a pretty common occurrence to see that 
> header in automated emails of all kinds (e.g. registration 
> confirmation emails, notifications, login link emails). Alone it's a 
> sign of spam nor ham, but combined with other things it can be 
> interesting. The others don't ring a bell for me.
>
> Bert
>
> On 8/09/2021 23:27, Loren Wilton wrote:
>> I'm getting a lot of mails with some very curious headers in them.
>> I tried searching with Google, and it has never heard of many of 
>> these strings.
>> Does anyone recognize what might be generating these headers?
>>
>> X-EOPTenantAttributedMessage
>> X-EmailAdvisor
>> X-Mxtb-Transitionid
>> X-MG-Subscriptionuid
>> X-PHP-Originating-Script
>> X-EmailTransmit-type
>> CMM-X-SID-Result
>> CMM-X-AUTH-Result
>> CMM-X-Message-Status
>> X-OutGoing-Spam-Status
>> X-EmailTransmit-aid
>> X-rext
>>
>> Thanks!
>>
>>        Loren
>>
>>
>> ---
>> This email has been checked for viruses by AVG.
>> https://www.avg.com
>>
>
--
For SpamAsassin Users List

Re: Does anyone know what generates these email headers?

Posted by Bert Van de Poel <be...@ulyssis.org>.

By default any PHP script that's sending an email will contain 
X-PHP-Originating-Script on several Linux distros, even though it's not 
the official default (see 
https://www.php.net/manual/en/mail.configuration.php , one of the first 
Google results). It's a pretty common occurrence to see that header in 
automated emails of all kinds (e.g. registration confirmation emails, 
notifications, login link emails). Alone it's a sign of spam nor ham, 
but combined with other things it can be interesting. The others don't 
ring a bell for me.

Bert

On 8/09/2021 23:27, Loren Wilton wrote:
> I'm getting a lot of mails with some very curious headers in them.
> I tried searching with Google, and it has never heard of many of these 
> strings.
> Does anyone recognize what might be generating these headers?
>
> X-EOPTenantAttributedMessage
> X-EmailAdvisor
> X-Mxtb-Transitionid
> X-MG-Subscriptionuid
> X-PHP-Originating-Script
> X-EmailTransmit-type
> CMM-X-SID-Result
> CMM-X-AUTH-Result
> CMM-X-Message-Status
> X-OutGoing-Spam-Status
> X-EmailTransmit-aid
> X-rext
>
> Thanks!
>
>        Loren
>
>
> ---
> This email has been checked for viruses by AVG.
> https://www.avg.com
>