cPanel Email Filters piping bounced email to a script - what gets piped?
I am writing a script for an email filter to process bounced emails - to capture the original TO address and mark the address bad in our DB. When an email bounces back and gets processed by a "piped to script" what actually gets piped to a Email Filter script?
I ask because in most email clients (like MS Outlook) the bounce email is addressed TO the original From/Sender, while the original TO address is embedded in 2 of the three files attached to the bounced email. Those two attachments are the original message and the in the second the original headers. But if the bounce email itself is all thats passed, then the script will be grabbing the wrong TO address (which is the original FROM address). If its passing everything to the piped script, then there are TWO From addresses and TWO To addresses. I found this out (two from/to addresses, because I had to save a bounced email to a file to pipe to test my script from CLI- it flattened all three attachments and the base email into a single saved file. When it processed, it was grabbing the wrong To/From addresses.
-
I was finally able to test a real bounced email and the TO address captured in my script is the original Sender/From address - "register@mydomain.com" - not the original TO address to the user: user1@hotmail.com Here are the real headers: Return-Path: <> Delivered-To: register+INBOX@mydomain.com Received: from ip-192-167-167-70.ip.secureserver.net by ip-192-167-167-70.ip.secureserver.net with LMTP id MSG+Ocd09F6ZZgAA9USnCQ (envelope-from <>) for ; Thu, 25 Jun 2020 05:56:23 -0400 Return-path: <> Envelope-to: register@mydomain.com Delivery-date: Thu, 25 Jun 2020 05:56:23 -0400 Received: from a2nlsmtp01-03.prod.iad2.secureserver.net ([198.71.225.37]:46256) by ip-192-167-167-70.ip.secureserver.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) id 1joOcJ-0006nb-5t for register@mydomain.com; Thu, 25 Jun 2020 05:56:23 -0400 Date: Thu, 25 Jun 2020 02:55:43 -0700 From: mailer-daemon@secureserver.net To: register@mydomain.com Subject: Message Delivery Failure - Mail Delivery System MIME-Version: 1.0 Content-Type: multipart/report; boundary="------------I305M09060309060P_115115930789430" X-Spam-Status: No, score=4.5 X-Spam-Score: 45 X-Spam-Bar: ++++ X-Ham-Report: Spam detection software, running on the system "ip-192-167-167-70.ip.secureserver.net", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see root\@localhost for details. Content preview: This is an automatically generated Delivery Status Notification. Delivery to the following recipients was aborted after 19.3 hour(s): * brixxxxxxxxxxxx88@gmail.con Content analysis details: (4.5 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: mydomainapp.com] 4.5 RCVD_IN_MSPIKE_L4 RBL: Bad reputation (-4) [198.71.225.37 listed in bl.mailspike.net] 0.0 RCVD_IN_MSPIKE_BL Mailspike blacklisted X-Spam-Flag: NO
The real TO address is the 'brixxxxxxxxxxxx88@gmail.con - but this header is not precise. Its showing a content preview...meaning I can't reliably search for that address and always assume it will be in the header. Its like I am going to have search the entire email - attachements and all - to try and find the original email address.0 -
The header is precise, it's for a bounced email though not the original email, this means that the original To: address didn't ever get it and it wasn't sent FROM: that address. The content preview I believe is from SpamAssassin so without that you'd just have the header info ending at Content-Type. I'm not sure how *you* would add a header for the original recipient considering that's not where the mail came from when it bounces. But I think I'm also addressing another thread from you that is almost identical to the same issue as this one which I will continue there 0
Please sign in to leave a comment.
Comments
2 comments