cPanel Email Filters piping bounced email to a script - what gets piped?


Well-Known Member
Feb 13, 2017
cPanel Access Level
Root Administrator
I am writing a script for an email filter to process bounced emails - to capture the original TO address and mark the address bad in our DB. When an email bounces back and gets processed by a "piped to script" what actually gets piped to a Email Filter script?

I ask because in most email clients (like MS Outlook) the bounce email is addressed TO the original From/Sender, while the original TO address is embedded in 2 of the three files attached to the bounced email. Those two attachments are the original message and the in the second the original headers. But if the bounce email itself is all thats passed, then the script will be grabbing the wrong TO address (which is the original FROM address). If its passing everything to the piped script, then there are TWO From addresses and TWO To addresses. I found this out (two from/to addresses, because I had to save a bounced email to a file to pipe to test my script from CLI- it flattened all three attachments and the base email into a single saved file. When it processed, it was grabbing the wrong To/From addresses.


Well-Known Member
Feb 13, 2017
cPanel Access Level
Root Administrator
I was finally able to test a real bounced email and the TO address captured in my script is the original Sender/From address - "[email protected]" - not the original TO address to the user: [email protected]

Here are the real headers:

Return-Path: <>
Delivered-To: [email protected]
Received: from
    by with LMTP
    id MSG+Ocd09F6ZZgAA9USnCQ
    (envelope-from <>)
    for <[email protected]>; Thu, 25 Jun 2020 05:56:23 -0400
Return-path: <>
Envelope-to: [email protected]
Delivery-date: Thu, 25 Jun 2020 05:56:23 -0400
Received: from ([]:46256)
    by with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    (Exim 4.93)
    id 1joOcJ-0006nb-5t
    for [email protected]; Thu, 25 Jun 2020 05:56:23 -0400
Date: Thu, 25 Jun 2020 02:55:43 -0700
From: [email protected]
To: [email protected]
Subject: Message Delivery Failure - Mail Delivery System
MIME-Version: 1.0
Content-Type: multipart/report; boundary="------------I305M09060309060P_115115930789430"
X-Spam-Status: No, score=4.5
X-Spam-Score: 45
X-Spam-Bar: ++++
X-Ham-Report: Spam detection software, running on the system "",
 has NOT identified this incoming email as spam.  The original
 message has been attached to this so you can view it or label
 similar future email.  If you have any questions, see
 root\@localhost for details.
 Content preview:  This is an automatically generated Delivery Status Notification.
    Delivery to the following recipients was aborted after 19.3 hour(s): * [email protected]
 Content analysis details:   (4.5 points, 5.0 required)
  pts rule name              description
 ---- ---------------------- --------------------------------------------------
                             blocked.  See
                              for more information.
  4.5 RCVD_IN_MSPIKE_L4      RBL: Bad reputation (-4)
                             [ listed in]
  0.0 RCVD_IN_MSPIKE_BL      Mailspike blacklisted
X-Spam-Flag: NO
The real TO address is the '[email protected] - but this header is not precise. Its showing a content preview...meaning I can't reliably search for that address and always assume it will be in the header. Its like I am going to have search the entire email - attachements and all - to try and find the original email address.


Product Owner II
Staff member
Nov 14, 2017
The header is precise, it's for a bounced email though not the original email, this means that the original To: address didn't ever get it and it wasn't sent FROM: that address. The content preview I believe is from SpamAssassin so without that you'd just have the header info ending at Content-Type. I'm not sure how *you* would add a header for the original recipient considering that's not where the mail came from when it bounces. But I think I'm also addressing another thread from you that is almost identical to the same issue as this one which I will continue there