PHP mail() header patch


If you have a PHP script that sends mail, the recipient of the mail message will only see which server it was sent from. There will normally be no record of who originated the message, or which script on the server actually caused it to be sent. This can make it difficult to trace misuse, even if you have comprehensive mail and webserver logs.

The Solution

This patch attempts to address this weakness by inserting an informational header to messages sent from PHP via the mail() function. The header identifies both the script and the apparent IP address that called it.

The header added has the form:

X-PHP-Script: <servername><php-self> for <remote-addr>

For example:

X-PHP-Script: for

If the connection appears to have come via a proxy cache (i.e. has an "X-Forwarded-For" header), <remote-addr> is a list of addresses (the addresses in X-Forwarded-For, then the 'real' remote address).

Here are the most recent versions of the patch:

All versions of the patch are listed here. Some may work better than others.

I've had a report of a problem with at least one of the old versions of the patch, so try the latest version of the patch first, even if your PHP is not up to date.


This is a patch against the PHP source code. I apply it with something like:
patch -p1 < php5-mail-header.patch

See Also

You might also find the following patch useful to you:
Steve Bennett
last updated: 19/09/2007