find PHP sending spam on your server logging smtp emails sent through PHP sendmail Ubuntu

Is your webserver under attack and you think it’s being generated by a domain sending SPAM using PHP? Here’s a solution to log all of the PHP mail() traffic and view it in your browser.

Create a file called “phpsendmail” – I put mine into /usr/sbin/phpsendmail

Here’s the code. Make sure your server has “sendmail” at “/usr/sbin/sendmail” – if not, change the sendmail path in the following code.

#!/usr/bin/php
<?php
$sendmail = '/usr/sbin/sendmail';
$logfile = '/var/log/mail_php.log';

/* Get email content */
$logline = '';
$mail = '';
$fp = fopen('php://stdin', 'r');

while ($line = fgets($fp))
{
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line))
        {
                $logline .= trim($line).' ';
        }
        $mail .= $line;
}

/* Build sendmail command */
$cmd = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++)
{
        $cmd .= escapeshellarg($_SERVER['argv'][$i]).' ';
}

/* Log line */
$path = isset($_ENV['PWD']) ? $_ENV['PWD'] : $_SERVER['PWD'];
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $logline .'  ==> ' .$path."\n", FILE_APPEND);

/* Call sendmail */
return shell_exec($command);
?>

Create the log file as described above and set the correct permissions

touch /var/log/mail_php.log
chmod 777 /var/log/mail_php.log
chmod 777 /path/to/phpsendmail

Now edit the php.ini configuration (/etc/php5/apache2/php.ini in Debian/Ubuntu). Search for [mail function] or SMTP make the following changes:

[mail function]
;COMMENT OUT SMTP = localhost
;SMTP = localhost
;smtp_port = 25
;*******************************************************
;* ADD THE PATH TO THE phpsendmail script you just made. 
;* I used /usr/sbin/phpsendmail
;*******************************************************
sendmail_path = /path/to/phpsendmail

Now restart apache2

service apache2 restart

Create a mail test php file inside of one of your domains. I created mailsend.php

<?php
// The message
$message = "email from PHP... digital magic";

// Send
mail('youremail@domain.com', 'My Subject', $message);

echo "PHP Email Sent... WOW!";
?>

In your browser, goto http://yourdomain.com/mailsend.php and send the email…
Now, tail your log file.

tail -f /var/log/mail_php.log

and you should see something like this

2013-02-03 17:50:57  To: mail1@domain1.com From: mail2@domain2.com ==> /var/www/vhosts/domain1/httpdocs
2013-02-03 17:50:59  To: mail3@domain3.com From: mail4@domain4.com ==> /var/www/vhosts/domain2/httpdocs/libraries

I made a PHP logfile viewer so I could view the log inside my web browser and not have to log in via SSH / shell

<?
echo "<pre>"; 
	passthru('tail -10 /var/log/mail_php.log');
echo "</pre>";
?>

Hope this helps you find the domain and script sending spam through PHP on your server.

Thanks and Original Code Here: http://www.matteomattei.com/en/how-to-log-email-sent-from-php-through-mail-function/