Filtering emails "Any Header" doesn't check all headers

jayharland

Active Member
Apr 18, 2014
30
1
8
cPanel Access Level
Website Owner
I'm trying to write a custom filter and "any header" doesn't actually check all of the headers. For example, it seems to exclude "return-path" and "sender" headers.

Basically, we use a 3rd party anti-spam service that adds a header to anything it delivers to us. I have a filter that checks for that header or if it's from one of our domains (local delivery), if not, then redirect to a spam vault.

My issue is, when someone outside the company creates a calendar invite (via Outlook), then someone inside the company sends that out to others (to alert them to the meeting) the message is caught because it's local delivery, yet the From: field retains the address of the original sender.

Here is what I've tried:

  1. Check for "content-type: text/calendar" in the body or header
    • This works if the string exists within the first 7,000 characters, otherwise the filter doesn't see it when it's 24,000 characters from the top (increasing $message_body to 24000 characters seems like a bad idea).
  2. Check to see if the "Sender" header is from our domain
    • My regular expression works, but the filtering system does not acknowledge that the Sender header exists

Any suggestions? Is there a definitive list of which headers "any header" refers to?

Thank you!

- Jay
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
Hello,

Could you let us know the specific filter rule you are using, as well as an example of a message header you want that filter applied to, ensuring to remove any real domain names?

Thank you.
 

rndpwd

Registered
Jul 27, 2016
1
0
1
UK
cPanel Access Level
Website Owner
I've seen a similar problem, I can't get the the "Any Header" "begins with" (nor "contains") to match messages that have their third line beginning "Envelope-to: [email protected]".

As a quick work-around, checking "Any Header" "contains" "for foo_" does work as that parses the Received: header.

In my particular observations, it seems that a number of mail-lists use this to hide/process their subscriber list. I'm not sure if it is a gmail feature/plugin, but I've seen similar behaviour from several entirely independent organisations. Typically the To: is undisclosed-recipients;: with a Bcc: [email protected]. However mail from one college (M$ Lookout users) only supplies an Envelope-to (no To, Cc nor Bcc) and doesn't use an angle bracket in the Received: processing at outbound.protection.outlook.com (which I notice varies between machines).

mutt agrees that Envelope-to: is a header :)

Here are a set of scrubbed headers you could test with:-

Code:
From [email protected]_m_a_i_l_.com Fri Jul 22 09:23:57 2016
Return-path: <[email protected]_m_a_i_l_.com>
Envelope-to: [email protected]
Delivery-date: Fri, 22 Jul 2016 09:23:57 +0100
Received: from mail-lf0-f45.google.com ([209.85.215.45]:32869)
    by my.hosting-provider.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128)
    (Exim 4.87)
    (envelope-from <[email protected]_m_a_i_l_.com>)
    id 1bQVkS-003MZw-Ue
    for [email protected]; Fri, 22 Jul 2016 09:23:57 +0100
Received: by mail-lf0-f45.google.com with SMTP id b199so79879166lfe.0
        for <[email protected]>; Fri, 22 Jul 2016 01:23:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:from:date:message-id:subject:to;
        bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=;
        b=KvhjcxVP3syjN5+5UROcHjrPWRYGYiiQuykKnGR9M8yxmFLjOyGk3Ldr+R8SRcYEEl
         LkSUENBiyOYRcy2zL7bKkxmRtxtwxZEQ+Bd5IG67oheeSbfIJwhMODf9wZDmtRHPEejg
         AdJ37H7z4UVD9jrateM8gqUgrT9ozXTDSbwVJi7R5stpsgZj1ye7Yhb2xMaiBHdtC5bu
         6tsN3lac/WiYKCEV6sq5LbxSFV+EX4PUDmZ6NwtB9BgMOGdc6HXURG4fr63n/mPQHlTI
         jFZCFIuhISh5P2ZPss4nI+eGgjG7SpIptH1C55oznsaeUZEe5jvw6+IUKZvTlNb3g81R
         QVBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=;
        b=VhAHNu3YiC/bnbBVIB2le8Qt9LLHkYmdxKAI0F3uTbIDBGLOEHsLrvv6sYh7wDuInj
         e1csn5qpcp9yob8Ja9UUxv7kztQozzQB+FlzituLDT3f9/EsR+l3F4BNYL71Y7xLkJpP
         INb6V+3Z10Pypx46EQr1GvXbtkuRVTCYLCNgSurOYNZ5RKK2NLAI+F4QSc4P/zZA2FC+
         Xn0HkScdoTA05v8Q5r4RyFZbPkaiSn+y9sOiWKkXFDux1Uu7nYxhQPp1zoQe7EO984RI
         RmZLreCnauiDnDT0xadWiBjLpvM2CxQK3r2CE3f3I9N0Goh4GQ3qYSHuZURdRsCUG68n
         MZhQ==
X-Gm-Message-State: AEkoousOr2g4KSplzLsQIzlKIaKLGSZcHEmG/8NR+wPPRunrJCqPfxlcAj37+psdQHYhO7TDVkjkkox0owhZeg==
X-Received: by 10.25.39.85 with SMTP id n82mr2094435lfn.29.1469175796438; Fri,
22 Jul 2016 01:23:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.155.16 with HTTP; Fri, 22 Jul 2016 01:23:15 -0700 (PDT)
From: Organisation Name <[email protected]_m_a_i_l_.com>
Date: Fri, 22 Jul 2016 09:23:15 +0100
Message-ID: <[email protected]om>
Subject: yes this was really was left blank yet again
To: undisclosed-recipients:;
Content-Type: multipart/mixed; boundary=001a11410fec75ed05053835252f
Bcc: [email protected]
Status: RO
Content-Length: 920818
Lines: 11982
HTH,
Daniel
 
Last edited by a moderator:

enboig

Member
Apr 25, 2008
18
0
51
I have the same problem, my filter is

Code:
# Exim filter - auto-generated by cPanel.
#
# Do not manually edit this file; instead, use cPanel APIs to manipulate
# email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN.
#

if not first_delivery and error_message then finish endif

#[email protected]
if
$message_headers contains "[email protected]"
then
deliver "\"$local_part+tag1\"@$domain"
endif
And my header is:
Code:
Return-path: <[email protected]>
Envelope-to: [email protected]
Delivery-date: Fri, 29 Jul 2016 09:58:48 +0200
Received: from [::1] (port=43225 helo=sub1.domain.com)
    by cpanel.domain.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256)
    (Exim 4.87)
    (envelope-from <[email protected]>)
    id 1bT2gq-002uS1-BR; Fri, 29 Jul 2016 09:58:48 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="91957ccdaad22bb5e722f0274646259b2b62f1e65"
Content-Transfer-Encoding: 8Bit
X-Mailer: Drupal
Errors-To: [email protected]
Sender: "=?UTF-8?*******************"
    <[email protected]>
From: "=?UTF-8?*****************"
    <[email protected]>
Reply-to: [email protected]
Date: Fri, 29 Jul 2016 07:58:40 +0000
To: [email protected]
Subject: =?UTF-8?********************************=?=
X-OutGoing-Spam-Status: No, score=2.1

This is a multi-part message in MIME format.
My filter is not applied.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,912
2,241
363
deliver "\"$local_part+tag1\"@$domain"
Hello,

The following resolution was published with cPanel 58.0.23:

Fixed case CPANEL-7971: Handle legacy filter destinations with an extra leading dot in the domain.

Could you let us know if the issue continues on this version? If so, please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome.

Thank you.