Leaf Phpmailer


Spam Farm Spotted in the Wild

Published: 2021-03-05
Last Updated: 2021-03-05 06:16:23 UTC
byXavier Mertens (Version: 1)
0 comment(s)
  • Leaf 2.8,phpmailer 2.8PHPMailer,Leaf PHPMailer, leafmailer, leafmailer.php, phpmailer 2.7.
  • Spam Farm Spotted in the Wild, (Fri, Mar 5th) Posted by admin-csnv on March 5, 2021. If there is a place where you can always find juicy information, it’s your spam folder!

Take A Sneak Peak At The Movies Coming Out This Week (8/12) New Movie Releases This Weekend: April 30-May 2; Billie Eilish drops the first track off upcoming album, and we’re ‘Happier Than Ever’.

If there is a place where you can always find juicy information, it's your spam folder! Yes, I like spam and I don't delete my spam before having a look at it for hunting purposes. Besides emails flagged as spam, NDR or 'Non-Delivery Receipt' messages also deserve some attention. One of our readers (thanks to him!) reported yesterday how he found a 'spam farm' based on bounced emails. By default, SMTP is a completely open protocol. Everybody can send an email pretending to be Elon Musk or Joe Biden! That's why security control like SPF[1] or DKIM[2] can be implemented to prevent spoofed emails to be sent from anywhere. If not these controls are not implemented, you may be the victim of spam campaigns that abuse your domain name or identity. The 'good' point (if we can say this) is that all NDR messages will bounce to the official mail server that you manage. That's what happened with our reader, he saw many bounced messages for unknown email addresses. Here is an example:

What interesting information do we have in this email? We see a domain name: farments[.]cf in the Message-ID (this header is generated by the first hop in the SMTP delivery chain) but also another SMTP header added by the mailer: X-PHP-Originating-Script: 1000:mailer1.php.

Let's combine the domain with the URL in the header: hxxp://farments[.]cf/mailer1.php


Download Leaf Mailer

This is a leafmailer[3] instance... A very popular PHP mailer used by spammers. urlscan.io reports 26 similar websites[4]:

I did the same search on VirusTotal and found more URLs:


Many of them are compromised websites where the mailer is deployed and used to send spam.

Conclusion: Keep an eye on your bounced messages, sometimes they may reveal interesting information!

[1] https://en.wikipedia.org/wiki/Sender_Policy_Framework
[2] https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail
[3] https://leafmailer.pw
[4] https://urlscan.io/result/3289f4f9-6db2-46e8-b72b-fa3b1561bdf6/related/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)

Leaf Phpmailer Ext:php


Leaf Phpmailer Ext:php 2019

Join us at SANS!Attend Reverse-Engineering Malware: Malware Analysis Tools and Techniques with Xavier Mertens in Online British Summer Time starting Aug 23 2021