The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Filtering emails "Any Header" doesn't check all headers

Discussion in 'E-mail Discussions' started by jayharland, May 11, 2016.

  1. jayharland

    jayharland Member

    Joined:
    Apr 18, 2014
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I'm trying to write a custom filter and "any header" doesn't actually check all of the headers. For example, it seems to exclude "return-path" and "sender" headers.

    Basically, we use a 3rd party anti-spam service that adds a header to anything it delivers to us. I have a filter that checks for that header or if it's from one of our domains (local delivery), if not, then redirect to a spam vault.

    My issue is, when someone outside the company creates a calendar invite (via Outlook), then someone inside the company sends that out to others (to alert them to the meeting) the message is caught because it's local delivery, yet the From: field retains the address of the original sender.

    Here is what I've tried:

    1. Check for "content-type: text/calendar" in the body or header
      • This works if the string exists within the first 7,000 characters, otherwise the filter doesn't see it when it's 24,000 characters from the top (increasing $message_body to 24000 characters seems like a bad idea).
    2. Check to see if the "Sender" header is from our domain
      • My regular expression works, but the filtering system does not acknowledge that the Sender header exists

    Any suggestions? Is there a definitive list of which headers "any header" refers to?

    Thank you!

    - Jay
     
    #1 jayharland, May 11, 2016
    Last edited: May 11, 2016
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you let us know the specific filter rule you are using, as well as an example of a message header you want that filter applied to, ensuring to remove any real domain names?

    Thank you.
     
  3. rndpwd

    rndpwd Registered

    Joined:
    Jul 27, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    UK
    cPanel Access Level:
    Website Owner
    I've seen a similar problem, I can't get the the "Any Header" "begins with" (nor "contains") to match messages that have their third line beginning "Envelope-to: foo_bar@email.com".

    As a quick work-around, checking "Any Header" "contains" "for foo_" does work as that parses the Received: header.

    In my particular observations, it seems that a number of mail-lists use this to hide/process their subscriber list. I'm not sure if it is a gmail feature/plugin, but I've seen similar behaviour from several entirely independent organisations. Typically the To: is undisclosed-recipients;: with a Bcc: foo_bar@email.com. However mail from one college (M$ Lookout users) only supplies an Envelope-to (no To, Cc nor Bcc) and doesn't use an angle bracket in the Received: processing at outbound.protection.outlook.com (which I notice varies between machines).

    mutt agrees that Envelope-to: is a header :)

    Here are a set of scrubbed headers you could test with:-

    Code:
    From orgname@g_m_a_i_l_.com Fri Jul 22 09:23:57 2016
    Return-path: <orgname@g_m_a_i_l_.com>
    Envelope-to: foo_bar@email.com
    Delivery-date: Fri, 22 Jul 2016 09:23:57 +0100
    Received: from mail-lf0-f45.google.com ([209.85.215.45]:32869)
        by my.hosting-provider.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
        (Exim 4.87)
        (envelope-from <orgname@g_m_a_i_l_.com>)
        id 1bQVkS-003MZw-Ue
        for foo_bar@email.com; Fri, 22 Jul 2016 09:23:57 +0100
    Received: by mail-lf0-f45.google.com with SMTP id b199so79879166lfe.0
            for <foo_bar@email.com>; Fri, 22 Jul 2016 01:23:37 -0700 (PDT)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=gmail.com; s=20120113;
            h=mime-version:from:date:message-id:subject:to;
            bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=;
            b=KvhjcxVP3syjN5+5UROcHjrPWRYGYiiQuykKnGR9M8yxmFLjOyGk3Ldr+R8SRcYEEl
             LkSUENBiyOYRcy2zL7bKkxmRtxtwxZEQ+Bd5IG67oheeSbfIJwhMODf9wZDmtRHPEejg
             AdJ37H7z4UVD9jrateM8gqUgrT9ozXTDSbwVJi7R5stpsgZj1ye7Yhb2xMaiBHdtC5bu
             6tsN3lac/WiYKCEV6sq5LbxSFV+EX4PUDmZ6NwtB9BgMOGdc6HXURG4fr63n/mPQHlTI
             jFZCFIuhISh5P2ZPss4nI+eGgjG7SpIptH1C55oznsaeUZEe5jvw6+IUKZvTlNb3g81R
             QVBw==
    X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
            d=1e100.net; s=20130820;
            h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
            bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=;
            b=VhAHNu3YiC/bnbBVIB2le8Qt9LLHkYmdxKAI0F3uTbIDBGLOEHsLrvv6sYh7wDuInj
             e1csn5qpcp9yob8Ja9UUxv7kztQozzQB+FlzituLDT3f9/EsR+l3F4BNYL71Y7xLkJpP
             INb6V+3Z10Pypx46EQr1GvXbtkuRVTCYLCNgSurOYNZ5RKK2NLAI+F4QSc4P/zZA2FC+
             Xn0HkScdoTA05v8Q5r4RyFZbPkaiSn+y9sOiWKkXFDux1Uu7nYxhQPp1zoQe7EO984RI
             RmZLreCnauiDnDT0xadWiBjLpvM2CxQK3r2CE3f3I9N0Goh4GQ3qYSHuZURdRsCUG68n
             MZhQ==
    X-Gm-Message-State: AEkoousOr2g4KSplzLsQIzlKIaKLGSZcHEmG/8NR+wPPRunrJCqPfxlcAj37+psdQHYhO7TDVkjkkox0owhZeg==
    X-Received: by 10.25.39.85 with SMTP id n82mr2094435lfn.29.1469175796438; Fri,
    22 Jul 2016 01:23:16 -0700 (PDT)
    MIME-Version: 1.0
    Received: by 10.25.155.16 with HTTP; Fri, 22 Jul 2016 01:23:15 -0700 (PDT)
    From: Organisation Name <orgname@g_m_a_i_l_.com>
    Date: Fri, 22 Jul 2016 09:23:15 +0100
    Message-ID: <CA+EVSZyHQXAQJZjV+ix8kLBVz6Sg3o6c4RJ9Cq5ecoM4u7P4=g@mail.gmail.com>
    Subject: yes this was really was left blank yet again
    To: undisclosed-recipients:;
    Content-Type: multipart/mixed; boundary=001a11410fec75ed05053835252f
    Bcc: foo_bar@email.com
    Status: RO
    Content-Length: 920818
    Lines: 11982
    
    HTH,
    Daniel
     
    #3 rndpwd, Jul 27, 2016
    Last edited by a moderator: Jul 27, 2016
  4. enboig

    enboig Member

    Joined:
    Apr 25, 2008
    Messages:
    18
    Likes Received:
    0
    Trophy Points:
    1
    I have the same problem, my filter is

    Code:
    # Exim filter - auto-generated by cPanel.
    #
    # Do not manually edit this file; instead, use cPanel APIs to manipulate
    # email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN.
    #
    
    if not first_delivery and error_message then finish endif
    
    #user+tag1@domain.com
    if
    $message_headers contains "user+tag1@domain.com"
    then
    deliver "\"$local_part+tag1\"@$domain"
    endif
    
    And my header is:
    Code:
    Return-path: <user@domain.com>
    Envelope-to: user+tag1@domain.com
    Delivery-date: Fri, 29 Jul 2016 09:58:48 +0200
    Received: from [::1] (port=43225 helo=sub1.domain.com)
        by cpanel.domain.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
        (Exim 4.87)
        (envelope-from <user@domain.com>)
        id 1bT2gq-002uS1-BR; Fri, 29 Jul 2016 09:58:48 +0200
    MIME-Version: 1.0
    Content-Type: multipart/mixed;
        boundary="91957ccdaad22bb5e722f0274646259b2b62f1e65"
    Content-Transfer-Encoding: 8Bit
    X-Mailer: Drupal
    Errors-To: user@domain.com
    Sender: "=?UTF-8?*******************"
        <user@domain.com>
    From: "=?UTF-8?*****************"
        <user@domain.com>
    Reply-to: user@domain.com
    Date: Fri, 29 Jul 2016 07:58:40 +0000
    To: tsr25@hotmail.com
    Subject: =?UTF-8?********************************=?=
    X-OutGoing-Spam-Status: No, score=2.1
    
    This is a multi-part message in MIME format.
    
    My filter is not applied.
     
  5. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello,

    The following resolution was published with cPanel 58.0.23:

    Fixed case CPANEL-7971: Handle legacy filter destinations with an extra leading dot in the domain.

    Could you let us know if the issue continues on this version? If so, please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page