Filtering emails "Any Header" doesn't check all headers

jayharland

May 11, 2016 13:29

I'm trying to write a custom filter and "any header" doesn't actually check all of the headers. For example, it seems to exclude "return-path" and "sender" headers. Basically, we use a 3rd party anti-spam service that adds a header to anything it delivers to us. I have a filter that checks for that header or if it's from one of our domains (local delivery), if not, then redirect to a spam vault. My issue is, when someone outside the company creates a calendar invite (via Outlook), then someone inside the company sends that out to others (to alert them to the meeting) the message is caught because it's local delivery, yet the From: field retains the address of the original sender. Here is what I've tried:

Check for "content-type: text/calendar" in the body or header [LIST]
This works if the string exists within the first 7,000 characters, otherwise the filter doesn't see it when it's 24,000 characters from the top (increasing $message_body to 24000 characters seems like a bad idea).

Check to see if the "Sender" header is from our domain [LIST]

My regular expression works, but the filtering system does not acknowledge that the Sender header exists Any suggestions? Is there a definitive list of which headers "any header" refers to? Thank you! - Jay

Comments

4 comments

cPanelMichael

May 26, 2016 14:23
Hello, Could you let us know the specific filter rule you are using, as well as an example of a message header you want that filter applied to, ensuring to remove any real domain names? Thank you.
0
rndpwd

July 27, 2016 11:15
I've seen a similar problem, I can't get the the "Any Header" "begins with" (nor "contains") to match messages that have their third line beginning "Envelope-to: foo_bar@email.com[/EMAIL]". As a quick work-around, checking "Any Header" "contains" "for foo_" does work as that parses the Received: header. In my particular observations, it seems that a number of mail-lists use this to hide/process their subscriber list. I'm not sure if it is a gmail feature/plugin, but I've seen similar behaviour from several entirely independent organisations. Typically the To: is undisclosed-recipients;: with a Bcc: foo_bar@email.com[/EMAIL]. However mail from one college (M$ Lookout users) only supplies an Envelope-to (no To, Cc nor Bcc) and doesn't use an angle bracket in the Received: processing at outbound.protection.outlook.com (which I notice varies between machines). mutt agrees that Envelope-to: is a header :) Here are a set of scrubbed headers you could test with:-
From orgname@g_m_a_i_l_.com Fri Jul 22 09:23:57 2016 Return-path: Envelope-to: foo_bar@email.com Delivery-date: Fri, 22 Jul 2016 09:23:57 +0100 Received: from mail-lf0-f45.google.com ([209.85.215.45]:32869) by my.hosting-provider.co.uk with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.87) (envelope-from ) id 1bQVkS-003MZw-Ue for foo_bar@email.com; Fri, 22 Jul 2016 09:23:57 +0100 Received: by mail-lf0-f45.google.com with SMTP id b199so79879166lfe.0 for ; Fri, 22 Jul 2016 01:23:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:from:date:message-id:subject:to; bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=; b=KvhjcxVP3syjN5+5UROcHjrPWRYGYiiQuykKnGR9M8yxmFLjOyGk3Ldr+R8SRcYEEl LkSUENBiyOYRcy2zL7bKkxmRtxtwxZEQ+Bd5IG67oheeSbfIJwhMODf9wZDmtRHPEejg AdJ37H7z4UVD9jrateM8gqUgrT9ozXTDSbwVJi7R5stpsgZj1ye7Yhb2xMaiBHdtC5bu 6tsN3lac/WiYKCEV6sq5LbxSFV+EX4PUDmZ6NwtB9BgMOGdc6HXURG4fr63n/mPQHlTI jFZCFIuhISh5P2ZPss4nI+eGgjG7SpIptH1C55oznsaeUZEe5jvw6+IUKZvTlNb3g81R QVBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=szWqeZzMMv9gjHANWLkjjazFGLrMZ8Yx1f9YhZ/YQBM=; b=VhAHNu3YiC/bnbBVIB2le8Qt9LLHkYmdxKAI0F3uTbIDBGLOEHsLrvv6sYh7wDuInj e1csn5qpcp9yob8Ja9UUxv7kztQozzQB+FlzituLDT3f9/EsR+l3F4BNYL71Y7xLkJpP INb6V+3Z10Pypx46EQr1GvXbtkuRVTCYLCNgSurOYNZ5RKK2NLAI+F4QSc4P/zZA2FC+ Xn0HkScdoTA05v8Q5r4RyFZbPkaiSn+y9sOiWKkXFDux1Uu7nYxhQPp1zoQe7EO984RI RmZLreCnauiDnDT0xadWiBjLpvM2CxQK3r2CE3f3I9N0Goh4GQ3qYSHuZURdRsCUG68n MZhQ== X-Gm-Message-State: AEkoousOr2g4KSplzLsQIzlKIaKLGSZcHEmG/8NR+wPPRunrJCqPfxlcAj37+psdQHYhO7TDVkjkkox0owhZeg== X-Received: by 10.25.39.85 with SMTP id n82mr2094435lfn.29.1469175796438; Fri, 22 Jul 2016 01:23:16 -0700 (PDT) MIME-Version: 1.0 Received: by 10.25.155.16 with HTTP; Fri, 22 Jul 2016 01:23:15 -0700 (PDT) From: Organisation Name Date: Fri, 22 Jul 2016 09:23:15 +0100 Message-ID: Subject: yes this was really was left blank yet again To: undisclosed-recipients:; Content-Type: multipart/mixed; boundary=001a11410fec75ed05053835252f Bcc: foo_bar@email.com Status: RO Content-Length: 920818 Lines: 11982
HTH, Daniel
0
enboig

August 24, 2016 10:11
I have the same problem, my filter is
# Exim filter - auto-generated by cPanel. # # Do not manually edit this file; instead, use cPanel APIs to manipulate # email filters. MANUAL CHANGES TO THIS FILE WILL BE OVERWRITTEN. # if not first_delivery and error_message then finish endif #user+tag1@domain.com if $message_headers contains "user+tag1@domain.com" then deliver "\"$local_part+tag1\"@$domain" endif
And my header is:
Return-path: Envelope-to: user+tag1@domain.com Delivery-date: Fri, 29 Jul 2016 09:58:48 +0200 Received: from [::1] (port=43225 helo=sub1.domain.com) by cpanel.domain.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.87) (envelope-from ) id 1bT2gq-002uS1-BR; Fri, 29 Jul 2016 09:58:48 +0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="91957ccdaad22bb5e722f0274646259b2b62f1e65" Content-Transfer-Encoding: 8Bit X-Mailer: Drupal Errors-To: user@domain.com Sender: "=?UTF-8?*******************" From: "=?UTF-8?*****************" Reply-to: user@domain.com Date: Fri, 29 Jul 2016 07:58:40 +0000 To: tsr25@hotmail.com Subject: =?UTF-8?********************************=?= X-OutGoing-Spam-Status: No, score=2.1 This is a multi-part message in MIME format.
My filter is not applied.
0
cPanelMichael

August 25, 2016 22:26
deliver "\"$local_part+tag1\"@$domain"

Hello, The following resolution was published with cPanel 58.0.23: Fixed case CPANEL-7971: Handle legacy filter destinations with an extra leading dot in the domain. Could you let us know if the issue continues on this version? If so, please open a support ticket using the link in my signature so we can take a closer look. You can post the ticket number here so we can update this thread with the outcome. Thank you.
0

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?