How to remove phpmail for only one domain?

  • I have a hacked website, and is sending spam... what i want is to disable phpmail only for this domain... but i dont know how to do it (if possible).


  • Edit the php.ini file of the domain manually

  • Yes but... where and how... there is a lot of php.ini files, and what i want is disable only for one user

  • DOESNT WORK... it continue sending mail with phpmail (if i disable domain, it stop sending mail).

    solved...but with small troubles

    1º Change /etc/php5/fpm/pool.d/tld.conf file...
    change last line:
    php_admin_value[disable_functions] = show_source,system,shell_exec,passthru,exec,phpinfo,shell,symlink,proc_open,popen
    to (see last "mail" word)
    php_admin_value[disable_functions] = show_source,system,shell_exec,passthru,exec,phpinfo,shell,symlink,proc_open,popen,mail

    2º. restart apache...

    3º... as you see nothing happens... wait!!!... file modified is again without "mail" word (it has been restored to original version)....
    4º. So... modify again, and change file permision to only read to all users...
    5º. restart apache...

  • When you write

    1. disable_functions = mail

    in your
    an restart your apache2.

    Then i think you have no troble with "php_admin_value[disable_functions]" settings, witch is set over the i-mscp Panel in "PHP Setting" from the Costumer login.

  • Hello ;


    By disabling the php mail() function, that will not prevent the customer to send mail from its site if he is using a PHP smtp client. To resume here, the work must be done on postfix side. You should forbid sending any mail from your local network without SASL authentication.

    To be more clear, you should review the smtpd restrictions which by default allow your local network to send mail without further checking ( permit_mynetworks ).


  • I think so... because i have disabled mail function... and it continues sending spam, and i have modified php to log phpmail emails (to identify script...) and doesnt work... so i think is a smtp php mail, because if i disable domain, spam stops...

    I will try....

  • Look at /var/log/apache2/domain.tld/access.log
    Anyone call a .php file which is infected.

    Run malwaredetect for this domain:
    maldet --scan-all /var/www/virtual/domain.tld/

  • finally found script spamware... it uses smtp... but i dont undertand... in default postfix i can send email from localhost using not autenticated user??? how can fix this???

  • @apocalipsis1234

    You are asking something which I've already answered in my previous post ;) Thus, I answers again with a bit more elaboration ;)

    The SMTP restrictions as set by default doesn't imply SASL authentication for the mails sent from your local network . Those rules are defined in the Postfix file as follow:

    As you can see here, the permit_mynetworks restriction is evaluated before the permit_sasl_authenticated restriction. Thus, any customers that are using a PHP SMTP client can send mails through your local network without any authentication as long they fit the restrictions that appear before the permit_mynetworks restriction.

    Here, you can easily solve the problem by moving the permit_mynetworks restrictions below the permit_sasl_authenticated restrictions, and by restarting Postfix. I'll surely do this for next release anyway ;)

    To resume, to prevent a customer to send mail through PHP you must follow the instructions above and also disable the PHP mail() function.