Is your webserver under attack and you think it’s being generated by a domain sending SPAM using PHP? Here’s a solution to log all of the PHP mail() traffic and view it in your browser.

Create a file called “phpsendmail” – I put mine into /usr/sbin/phpsendmail

Here’s the code. Make sure your server has “sendmail” at “/usr/sbin/sendmail” – if not, change the sendmail path in the following code.

$sendmail = '/usr/sbin/sendmail';
$logfile = '/var/log/mail_php.log';

/* Get email content */
$logline = '';
$mail = '';
$fp = fopen('php://stdin', 'r');

while ($line = fgets($fp))
        if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line))
                $logline .= trim($line).' ';
        $mail .= $line;

/* Build sendmail command */
$cmd = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail.' -t -i';
for ($i = 1; $i < $_SERVER['argc']; $i++)
        $cmd .= escapeshellarg($_SERVER['argv'][$i]).' ';

/* Log line */
$path = isset($_ENV['PWD']) ? $_ENV['PWD'] : $_SERVER['PWD'];
file_put_contents($logfile, date('Y-m-d H:i:s') . ' ' . $logline .'  ==> ' .$path."\n", FILE_APPEND);

/* Call sendmail */
return shell_exec($command);

Create the log file as described above and set the correct permissions

touch /var/log/mail_php.log
chmod 777 /var/log/mail_php.log
chmod 777 /path/to/phpsendmail

Now edit the php.ini configuration (/etc/php5/apache2/php.ini in Debian/Ubuntu). Search for [mail function] or SMTP make the following changes:

[mail function]
;COMMENT OUT SMTP = localhost
;SMTP = localhost
;smtp_port = 25
;* ADD THE PATH TO THE phpsendmail script you just made. 
;* I used /usr/sbin/phpsendmail
sendmail_path = /path/to/phpsendmail

Now restart apache2

service apache2 restart

Create a mail test php file inside of one of your domains. I created mailsend.php

// The message
$message = "email from PHP... digital magic";

// Send
mail('', 'My Subject', $message);

echo "PHP Email Sent... WOW!";

In your browser, goto and send the email…
Now, tail your log file.

tail -f /var/log/mail_php.log

and you should see something like this

2013-02-03 17:50:57  To: From: ==> /var/www/vhosts/domain1/httpdocs
2013-02-03 17:50:59  To: From: ==> /var/www/vhosts/domain2/httpdocs/libraries

I made a PHP logfile viewer so I could view the log inside my web browser and not have to log in via SSH / shell

echo "<pre>"; 
	passthru('tail -10 /var/log/mail_php.log');
echo "</pre>";



Hope this helps you find the domain and script sending spam through PHP on your server.

Thanks and Original Code Here: