The PHP mail() function adds X-PHP-Script to the mail header which include the URL of the PHP-file that called the function and IP of the sending user. This is potentially a vulnerability as emails sent from the osC admin then will show the name of the admin directory giving away this to potential attackers. E.x. "X-PHP-Script: for"   Can sometimes be inhibited by adding mail.add_x_header = "0" to php.ini, but not with all hosts if seems.   Cheers,   zeppo