Problem:
Your shared server is misused for spamming using some php script. Since there are hundreds of websites or domains on your server it is not easy to find out which domain or which script the culprit is.
Solution:
Write a wrapper script:
Find the active sendmail “path” in php.ini:
grep sendmail_path /etc/php.ini
This is usually something like:
sendmail_path = /usr/sbin/sendmail -t -i
Write a new shell script /usr/local/sbin/sendmail_php.sh:
#!/bin/bash
logger php_mail: dir=${PWD}
/usr/sbin/sendmail -t -i $*
Change /etc/php.ini accordingly:
sendmail_path = /usr/local/sbin/sendmail_php.sh
Restart your webserver.
Now when some php form is using mail() you will see following entry in your server logs:
May 3 11:29:58 www42 logger: php_mail: dir=/var/www/vhosts/example.com/httpdocs/guestbook