cPanel Email Filters piping bounced email to a script - what gets piped?

rolinger

Active Member
Feb 13, 2017
33
1
8
Tampa
cPanel Access Level
Root Administrator
I am writing a script for an email filter to process bounced emails - to capture the original TO address and mark the address bad in our DB. When an email bounces back and gets processed by a "piped to script" what actually gets piped to a Email Filter script?

I ask because in most email clients (like MS Outlook) the bounce email is addressed TO the original From/Sender, while the original TO address is embedded in 2 of the three files attached to the bounced email. Those two attachments are the original message and the in the second the original headers. But if the bounce email itself is all thats passed, then the script will be grabbing the wrong TO address (which is the original FROM address). If its passing everything to the piped script, then there are TWO From addresses and TWO To addresses. I found this out (two from/to addresses, because I had to save a bounced email to a file to pipe to test my script from CLI- it flattened all three attachments and the base email into a single saved file. When it processed, it was grabbing the wrong To/From addresses.
 

rolinger

Active Member
Feb 13, 2017
33
1
8
Tampa
cPanel Access Level
Root Administrator
I was finally able to test a real bounced email and the TO address captured in my script is the original Sender/From address - "[email protected]" - not the original TO address to the user: [email protected]

Here are the real headers:

Code:
Return-Path: <>
Delivered-To: [email protected]
Received: from ip-192-167-167-70.ip.secureserver.net
    by ip-192-167-167-70.ip.secureserver.net with LMTP
    id MSG+Ocd09F6ZZgAA9USnCQ
    (envelope-from <>)
    for <[email protected]>; Thu, 25 Jun 2020 05:56:23 -0400
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Thu, 25 Jun 2020 05:56:23 -0400
Received: from a2nlsmtp01-03.prod.iad2.secureserver.net ([198.71.225.37]:46256)
    by ip-192-167-167-70.ip.secureserver.net with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)
    id 1joOcJ-0006nb-5t
    for [email protected]; Thu, 25 Jun 2020 05:56:23 -0400
Date: Thu, 25 Jun 2020 02:55:43 -0700
From: [email protected]
To: [email protected]
Subject: Message Delivery Failure - Mail Delivery System
MIME-Version: 1.0
Content-Type: multipart/report; boundary="------------I305M09060309060P_115115930789430"
X-Spam-Status: No, score=4.5
X-Spam-Score: 45
X-Spam-Bar: ++++
X-Ham-Report: Spam detection software, running on the system "ip-192-167-167-70.ip.secureserver.net",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  This is an automatically generated Delivery Status Notification.
    Delivery to the following recipients was aborted after 19.3 hour(s): * [email protected]
    
 Content analysis details:   (4.5 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
  0.0 URIBL_BLOCKED          ADMINISTRATOR NOTICE: The query to URIBL was
                             blocked.  See
                             http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
                              for more information.
                             [URIs: mydomainapp.com]
  4.5 RCVD_IN_MSPIKE_L4      RBL: Bad reputation (-4)
                             [198.71.225.37 listed in bl.mailspike.net]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
X-Spam-Flag: NO
The real TO address is the '[email protected] - but this header is not precise. Its showing a content preview...meaning I can't reliably search for that address and always assume it will be in the header. Its like I am going to have search the entire email - attachements and all - to try and find the original email address.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,262
313
Houston
The header is precise, it's for a bounced email though not the original email, this means that the original To: address didn't ever get it and it wasn't sent FROM: that address. The content preview I believe is from SpamAssassin so without that you'd just have the header info ending at Content-Type. I'm not sure how *you* would add a header for the original recipient considering that's not where the mail came from when it bounces. But I think I'm also addressing another thread from you that is almost identical to the same issue as this one which I will continue there