External agent access to X-Envelope-From - ORF Forums

External agent access to X-Envelope-From RSS Back to forum

1

We have been receiving a number of Spam messages where the envelope From is an external domain with no SPF record but the From header in the message is from [email protected] so to the user looking at the message in Outlook it appears to be an internal email.

We are running ORF 4.4. Is there any way for an ORF External Agent to access the value that ORF adds later to the message headers as "X-Envelope-From"? This does not appear to have been added to the temp file {EMAILFILESPEC} at the time the external agent processes it. This feature would allow us to compare the X-Envelope-From and From header for consistency where From says is internal.

Thanks, Tim.

by Tim 7 years ago
2

@Tim: I assume you are using our CDO OnArrival Event sink script to add the envelope SMTP sender address as an "X-Envelope-From" line to the header. Probably, this Event sink runs after the Event sink of ORF, so theoretically if you change the sink priority to run before ORF, the header field will be included in the temp file.

1. Download the file smtpreg.zip (http://vamsoft.com/downloads/smtpreg.zip).
2. Extract the ZIP archive contents to any folder on your server where ORF runs.
3. Start a command prompt and enter to the directory where you extracted the archive contents to.
4. Run the script as:

cscript smtpreg.vbs /enum > sinks.txt

A new file called sinks.txt will be created in the current folder, which contains the event sink binding list of IIS SMTP and their priorities (lower number indicates higher priority). ORF binds with the following names: VS_ORFEnterprise_RCPT, VS_ORFEnterprise_EOD (for incoming emails, one for the Before Arrival filtering point, one for the On Arrival Filtering Point) and VS_ORFEnterprise_OUTBOUND (the latter is triggered when an email is sent out, this is required for the Auto Sender Whitelist feature).

5. To change the priority priority of the ORF SMTP Event Sinks to 1000 on the first SMTP virtual server instance, run the following commands:

cscript smtpreg.vbs /setprop 1 OnInboundCommand "VS_ORFEnterprise_RCPT" Source Priority 1000
cscript smtpreg.vbs /setprop 1 OnInboundCommand "VS_ORFEnterprise_EOD" Source Priority 1000

They should run after the Event sink which inserts the envelope sender to the header.

Please note that the priorities are restored to their default state after you upgrade or re-install ORF. Other software may also change the priorities without prior notice (e.g., Exchange updates).

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

3

@Tim: Or, an even simpler solution would be to use the Keyword Blacklist to blacklist emails which has your own domain in the MIME From field, see http://www.vamsoft.com/howto-blacklist-self-spam.asp#mime-sender-spoofing

As ORF ignores internal and outgoing emails, this should not cause any issues with legitimate emails.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

4

@Krisztian Fekete (Vamsoft): Thanks for the quick response. We are indeed using your CDO OnArrival Event sink script to add the envelope SMTP sender address as an "X-Envelope-From" line to the header.

Running the smtpreg vscript tells me that
Event: SMTP Protocol OnInboundCommand, Name: VS_ORFEnterprise_RCPT, Priority = 24574
Event: SMTP Protocol OnInboundCommand, Name: VS_ORFEnterprise_EOD, Priority = 24574
Event: SMTP Transport OnSubmission, Name: SmtpEnvlIns, SinkClass: CDO.SS_SMTPOnArrivalSink, Priority = 24575

Have I undersood correctly that I want the last of these three to run before the first two so I need either to raise the priority of SmtpEnvlIns by reducing the priority number below 24575 or reduce the priority of the other two by increasing the priority number? Would that be
cscript smtpreg.vbs /setprop 1 OnSubmission "SmtpEnvlIns" Source Priority 1000
Or will the OnSubmission event always follow OnInboundCommand so I need to change the sink to a different event?

Thanks, Tim.

by Tim 7 years ago
(in reply to this post)

5

Regarding using the Blacklist to blacklist emails which have own domain in the MIME From field, I think this would block email from external systems which are authorised by SPF to send mail using our domain as a From address.

What I was hoping to do was add a SpamAssassin rule (runs as an exernal agent) something like
header __FAKEFROM1 X-Envelope-From !~ /\@ourdomain\.uk/i
# The From in the envelope IS NOT from @ourdomain.uk
header __FAKEFROM2 From !~ /\@ourdomain\.uk/i
# But the From in the message header IS from @ourdomain.uk
meta FAKEFROM (( __FAKEFROM1 + __FAKEFROM2 ) > 1)
describe FAKEFROM Test for a ourdomain.uk From address with a different envelope probably to try and get around SPF
score FAKEFROM 10.0

by Tim 7 years ago
6

@Tim: Yes, setting the priority of SmtpEnvlIns to 1000 should do the job.

by Krisztian Fekete 7 years ago
(in reply to this post)

7

Where can I find this DO OnArrival Event sink script? I really want the envelope information added into the header of the message that is delivered to Outlook. Thank you.

by Lester 7 years ago
8

@Lester: The script is available at http://www.vamsoft.com/downloads/smtpenvl.zip (Compatible with IIS 5/6, Exchange 2000 and Exchange 2003. Exchange 2007 and above are not supported. The script does not require ORF to function.)

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

9

Ahh, never mind. The http://vamsoft.com/downloads/smtpreg.zip *is* ths script. It would be nice though if this was simply integrated into ORF as a configurable option. :) Thanks.

by Lester 7 years ago
10

I'm getting an error when I run the script:

E:\SMTPEnvelope>cscript smtpreg.vbs /enum > sinks.xt
E:\SMTPEnvelope\smtpreg.vbs(52, 1) Microsoft VBScript runtime error: ActiveX component can't create object: 'Event.Manager'

Any ideas? Doesn't seem to be a commone google-able error either. I ran CMD as Administrator on a Win 2008 R2 with Exchange 2010. Thanks.

by Lester 7 years ago
11

Thanks Krisztian... DO you know of any 3rd party product or script that will work with Exchange 2010? I really want to get a hold of the envelope information and have it inserted into the headers of the incoming email. Any thoughts on this would be greatly appreciated.

Integrating into ORF would be best (since you already do Before-Arrival) processing... Thanks.

by Lester 7 years ago
12

@Lester: Unfortunately, I am not aware of any easy to implement solution for this for Exchange 2010 :( A custom Routing Agent in C# might do the job:

http://community.sendgrid.com/sendgrid/topics/is_there_any_way_of_getting_the_from_address_in_the_event_api

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

13

@Lester: You receive this error because Exchange 2007 and later versions (including Exchange 2010) no longer relies on IIS SMTP and Event Sinks: instead, they use Transport Agents.

by Krisztian Fekete (Vamsoft) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2