Mailing List Archive

Does anyone know what generates these email headers?
I'm getting a lot of mails with some very curious headers in them.
I tried searching with Google, and it has never heard of many of these
strings.
Does anyone recognize what might be generating these headers?

X-EOPTenantAttributedMessage
X-EmailAdvisor
X-Mxtb-Transitionid
X-MG-Subscriptionuid
X-PHP-Originating-Script
X-EmailTransmit-type
CMM-X-SID-Result
CMM-X-AUTH-Result
CMM-X-Message-Status
X-OutGoing-Spam-Status
X-EmailTransmit-aid
X-rext

Thanks!

Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com
Re: Does anyone know what generates these email headers? [ In reply to ]
By default any PHP script that's sending an email will contain
X-PHP-Originating-Script on several Linux distros, even though it's not
the official default (see
https://www.php.net/manual/en/mail.configuration.php , one of the first
Google results). It's a pretty common occurrence to see that header in
automated emails of all kinds (e.g. registration confirmation emails,
notifications, login link emails). Alone it's a sign of spam nor ham,
but combined with other things it can be interesting. The others don't
ring a bell for me.

Bert

On 8/09/2021 23:27, Loren Wilton wrote:
> I'm getting a lot of mails with some very curious headers in them.
> I tried searching with Google, and it has never heard of many of these
> strings.
> Does anyone recognize what might be generating these headers?
>
> X-EOPTenantAttributedMessage
> X-EmailAdvisor
> X-Mxtb-Transitionid
> X-MG-Subscriptionuid
> X-PHP-Originating-Script
> X-EmailTransmit-type
> CMM-X-SID-Result
> CMM-X-AUTH-Result
> CMM-X-Message-Status
> X-OutGoing-Spam-Status
> X-EmailTransmit-aid
> X-rext
>
> Thanks!
>
>        Loren
>
>
> ---
> This email has been checked for viruses by AVG.
> https://www.avg.com
>
Re: Does anyone know what generates these email headers? [ In reply to ]
The originating PHP script header helps people who run shared servers
track down the source of problematic mail. The two most common cases are:

- A contact form with poor security and the option to send a copy to the
"commenter". Hackers find these and flood them.

- A completely compromised site with some mailer script buried down in a
folder that shouldn't have code (typically some image path).

Both give a quick indication of which account needs to be suspended and
what the best course for remediation should be from there.

In cPanel, the X-OutGoing-Spam-Status header is generated by hosts who
run SpamAssassin on outbound mail. As it's easily forged it's kind of
useless on the receiving side (and until a few months back was actually
scoring 0.2 on incoming) but it's generated by cPanel with no option to
disable it. It might also serve as a useful diagnostic for hosts trying
to figure out how the heck an obvious spam message managed to get sent:
if it's not there, then the message was sent by a nonstandard MTA.

On 2021-09-08 18:40, Bert Van de Poel wrote:
> By default any PHP script that's sending an email will contain
> X-PHP-Originating-Script on several Linux distros, even though it's
> not the official default (see
> https://www.php.net/manual/en/mail.configuration.php , one of the
> first Google results). It's a pretty common occurrence to see that
> header in automated emails of all kinds (e.g. registration
> confirmation emails, notifications, login link emails). Alone it's a
> sign of spam nor ham, but combined with other things it can be
> interesting. The others don't ring a bell for me.
>
> Bert
>
> On 8/09/2021 23:27, Loren Wilton wrote:
>> I'm getting a lot of mails with some very curious headers in them.
>> I tried searching with Google, and it has never heard of many of
>> these strings.
>> Does anyone recognize what might be generating these headers?
>>
>> X-EOPTenantAttributedMessage
>> X-EmailAdvisor
>> X-Mxtb-Transitionid
>> X-MG-Subscriptionuid
>> X-PHP-Originating-Script
>> X-EmailTransmit-type
>> CMM-X-SID-Result
>> CMM-X-AUTH-Result
>> CMM-X-Message-Status
>> X-OutGoing-Spam-Status
>> X-EmailTransmit-aid
>> X-rext
>>
>> Thanks!
>>
>>        Loren
>>
>>
>> ---
>> This email has been checked for viruses by AVG.
>> https://www.avg.com
>>
>
--
For SpamAsassin Users List
Re: Does anyone know what generates these email headers? [ In reply to ]
> The originating PHP script header helps people who run shared servers
> track down the source of problematic mail. The two most common cases are:

Does this look valid?

X-PHP-Originating-Script: 48:class.phpmailer.php

Just looking at a dozen or so of the smpams I've gotten in the last couple
days that match this pattern, they all have an x-originating-spam-status
of -2.9, which makes me a little suspicious that that header is faked. Maybe
the others are too.

Loren


---
This email has been checked for viruses by AVG.
https://www.avg.com
Re: Does anyone know what generates these email headers? [ In reply to ]
On Wed, Sep 08, 2021 at 06:17:49PM -0700, Loren Wilton wrote:
> > The originating PHP script header helps people who run shared servers
> > track down the source of problematic mail. The two most common cases are:
>
> Does this look valid?
>
> X-PHP-Originating-Script: 48:class.phpmailer.php
>
> Just looking at a dozen or so of the smpams I've gotten in the last couple
> days that match this pattern, they all have an x-originating-spam-status
> of -2.9, which makes me a little suspicious that that header is faked. Maybe
> the others are too.
>
class.phpmailer.php means the email has been sent by PHPMailer, one of
the most popular classes used to send emails using Php.
48 is the uid of the user that sent that email, one more info useful to
track down compromized account on shared hosting.
As-is it's not a spam nor a ham sign.

If x-originating-spam-status has always the same value it's suspect
anyway.

Giovanni
Re: Does anyone know what generates these email headers? [ In reply to ]
> > The originating PHP script header helps people who run shared servers
track down the source of problematic mail. The two most common cases are:
>
> Does this look valid?
>
> X-PHP-Originating-Script: 48:class.phpmailer.php

Yes, that's saying that the mail was sent from a call in class.mailer.php
(I think on line 48).
PhpMailer is a very common email construction and sending tool.

Anthony
--
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11
1QR
Re: Does anyone know what generates these email headers? [ In reply to ]
> > X-PHP-Originating-Script: 48:class.phpmailer.php
>
> Yes, that's saying that the mail was sent from a call in
class.mailer.php (I think on line 48).
> PhpMailer is a very common email construction and sending tool.


Argh... 48 is the UID of the process. RedHat linux types often have apache
as UID 48, which would make sense.
> Anthony
--
www.fonant.com - Quality web sites
Tel. 01903 867 810
Fonant Ltd is registered in England and Wales, company No. 7006596
Registered office: Amelia House, Crescent Road, Worthing, West Sussex, BN11
1QR