Getting email headers from within an HTML email for tracking purpose - javascript

Posting question in StackExchange for first time. Apologies if this has issues...
Need to track email open.
This is something not very new and the approach generally used is to have a pixel in the HTML which calls a server URL asynchronously. By using this we get the number of opens for an email.
Now the issue is the email is send to a Distribution List (DL) and we have a requirement to track email open and also clearly state who has opened it..
Basically when a hit to server comes, it should says xxxx#mail.com has opened this email.
In my HTML if i have a way by whcih to capture the email headers, my requirement would be sorted... I would use Javascript to get the email headers and then when i call the server URL i will send across the details...
When i searched i found a POST which was doing something similar...
Read email headers in Outlook Web Access (OWA)
But this was for office application...
Also, i am not sure whether this would even work...
Any pointers is well appreciated....
I am specifically at the moment looking for exchange server...

In my HTML if i have a way by whcih to capture the email headers
You don't.
I would use Javascript to get the email headers
You can't run JavaScript in an HTML formatted email
The only identifying information you can get back from the email is the information you put it in it in the first place.
You can put a unique ID in a tracking pixel (increasing the chances of it being marked as spam) but that ID will be given to anyone who gets a copy of the email (including if it is forwarded automatically by a mailing list or manually by a reader). The tracking will also fire only if the image is loaded from the server (plenty of people keep email image loading turned off).
There is no way to find out who your email actually ended up with.

Related

adding inline image using Query String instead of public URL, Office365

I am adding inline image to Outlook body through compose message and came up with this issue. Here is the documentation for addFileAttachmentAysnc:
Office.context.mailbox.item.addFileAttachmentAsync(attachmentURL, attachmentURL, options, callback);
My attachmentURL is a query string that has image ID, user token, smtp:
http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKX6YG58esb1Kxa4oPw6s+QenADodv21An6/rjOkBIY1u5KObhrGhZFfOFRRD0+K7Q69J0VmL+6GY=&ReqId=HCYJ+G/WakTy/s1Hz5kURnU4cuANAb83lQ==&userSmtp=tw1621#mdev.org
Once I finish my compose form( a pop up window), I click finish which should add the image to the body. I should also mention that on my Controller, I am checking the IP of a user just to make sure they are allowed to make the request. When addFileAttachmentAsync finishes it sets img src to "cid:xxxx" and calls
Office.cast.item.toItemCompose(Office.context.mailbox.item).body.setSelectedDataAsync(body,{coercionType: "html", asyncContext: "set message body" }
When I click finish, text content is being added fine, I thin rendering image source forces it to go to my controller again and fails the IP check because now it is the Outlook making the request not the user(IP address of the request is in IPv6 format). (IP check has a list of potential users' IP addresses in 10.10.xx.xx format).
Now in my email body I get a broken image with my attachmentURL as a source and originalsrc is what I set
<div class="x_mw-images"><img src="http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKOnFdBCeOpo1Nr8bCtXa4vyQ5PI/bOg8yTI/qpY5HVNpPVBQJghdmnAfgR/WTaGk0hAiQn3237yU=&ReqId=IOyOCna5kLpAKN6EjFKuNExpYNANAb83lQ==&userSmtp=tw1621#mdev.org" alt="logo.png" height="100" originalsrc="cid:1528819032946.png" size="90196" style="user-select: none;"></div>
The way I understand is whatever you put a source Outlook overrides it with the attachmentURL and sets your "src" value as a original source. Checking the IP address is a crucial step for my case, any idea how to get around this issue or may be explanation of what I am doing wrong would help.
I figured out a solution to this issue. The way my code worked is, it first sends a POST request with user token and path. This POST request returns back file names that need to grabbed from sevrer. Then I call addFileAttachmentAsync with those filenames and some other details to help authentication.
http://namiq-pc/MailForms/api/GetAttachment?AttId=logo.png&MwToken=eteFIPebdPIKTLhfWKXDirp/rhdEVLmBxnKVU69mM36HgJCiINang8QDnB9w4ibKX6YG58esb1Kxa4oPw6s+QenADodv21An6/rjOkBIY1u5KObhrGhZFfOFRRD0+K7Q69J0VmL+6GY=&ReqId=HCYJ+G/WakTy/s1Hz5kURnU4cuANAb83lQ==&userSmtp=tw1621#mdev.org
I do IP check when addFileAttachmentAsync makes the GET request to the server. This step succeeds because of the IP safe list. In the case when IP check fails(which happens when compose form body is transformed to mail body), I am just making sure both POST and GET request are sent by the same address by comparing the hash of IPs.
Because the server makes the both requests in this last step, when everything goes right, they do match.You just need to carry POST request IP address throughout these steps(returning hashed IP from POST as a JSON) so you can compare it during GET.

How can I go to an html page while passing a hidden parameter using Javascript or jQuery?

Upon completion of an ajax call I would like to direct the user to an html page, but at the same time passing a hidden variable (this variable contains sensitive information and should not show up in the URL).
How can I accomplish this?
window.location.href = 'userpage.html?id=14253';
But with the id remaining invisible? Can I POST the id somehow while sending the user to userpage.html?
You should not be checking user credentials on the client side of your website. Regardless of how the ID is being passed to your script, it can be replicated without you being able to check if the request is valid.
To start being even remotely secure with what information is granted to a user, you need to be checking it via the server side. With every request, ensure the user is authenticated to view such data.
If I were you, I would look into using PHP sessions as the first line of defense for checking if a user is authenticated. Doing so will at least keep the information about a user out of a replicable space that can be viewed by the user.
Look up 'php session login tutorial' on Google and you will find plenty of simple tutorials which should get you on the right track.
Example Tutorial
No matter what, the information you pass along is insecure. You can submit a post request using XMLHttpRequest objects if you'd like (or use a framework/library to make AJAX calls) -- but the user could still spoof the data and get different results.
ID enforcement should be done in the backend. Does the requested ID match the ID of the user signed in? No? Don't show it. etc etc.

Zimbra mail server - Get Information about new incoming email

As you will all know that there are black list and white list in Zimbra mail server that will block or allow a new coming email. But it's quite inconvenient by this way to block an email. So I want to make a plugin in Zimbra mail server to filter email into spam and non spam category based on a list.
But the problem i met here is i can't get the information about a new incoming email address, here is email address and header. I've read some tutorials about writing a Zimlet, but it's all about making an action to get those information.
Can you guys tell me how to get those Information?
Thanks in advance :-)
This isn't, what Zimlets are made for. Zimlets are extensions to the Web UI. Perhaps it's possible to write a server extension for that, though I don't know currently, if there's an extension class for that.
I would use a "milter" for that. A milter is a way of "hooking" into the mail delivery process.
For an example, have a look at my "disclaimr"-milter: https://github.com/dploeger/disclaimr
Inside the milter you would use the Zimbra SOAP-API to fetch objects from the Zimbra server (lists for example).

Can I encrypt content so it doesn't appear in view-source, then show on pageload?

I've got a site where users extend their product trial with a registration code. They click a link (with a key in the URL) from an email, get to this site and a lightbox appears with their registration code. I'm currently displaying the registration code with HTML and hiding it with CSS. Once I check to make sure the URL has the correct key with javascript, I display the registration code. However, this means anyone can just view source on the page and copy the registration code. Is there a way to encrypt the code so it doesn't appear in view source, and then decrypt it if the URL has the correct key? It's one code per product, not per user, so I don't have to do any server side authentication.
If the computer knows it, the user knows it.
You can play obfuscation games, all of which amount to making your Javascript hard to read. But a sufficiently determined user will find it anyway, and once they do, they can easily share it with their friends.
One code per user is the only way to fix this reliably.
I check to make sure the URL has the correct key with javascript
Don't check the key client-side, validate the key on the server.
This is the only way to ensure only valid users get the registration code.
Pseudo PHP example:
if( validateKey($_GET['key']) ) {
echo 'The Registration Code';
} else {
echo 'Error';
}
Client Side Code is inherently insecure. Consider anything you send to a client machine public to the world, and don't trust anything that comes from the client until you cleanse it. A sufficiently determined user will de-obfuscate your code, regardless how much effort you put into the initial obfuscation routine.
Another tip to help you instead to show the registration code in the site you can send back an email to the user with the registration code.
And as Nemo suggest, the right way is one code for user
Hope it help
As mentioned before the client side will not cover your security needs.
Better would be to have the page send a Ajax request to the server containing the key, you can then respond with the registration code.
Even better would be to directly validate the key on the first request, then decide to return an error page or the page with the registration info.
As others have replied, doing this validation server-side is both easier and more secure.
You can have an AJAX request posting the URL key to a php page, that in turn would reply with the correct registration code.
That being said, there is always the possibility of using a client-side use encryption library (like AES), but from what i understand i don't think it would be a good approach to solving your problem.
Again, doing it on the server-side is both extremely easy and as secure as you need.
Encrypt your registration code (plus some magic cookie) with the key in the server before embedding it in your HTML. In your JavaScript, validate the key (which comes in the URL) by decrypting the registration code. If the magic cookie matches, then you get a valid key and you can display the registration code to the user.
View Source will only reveal the encrypted registration code. Without the key, the snooper has no way to extract the registration code.
This means that you'll have a unique key per registration code, which should be the case for your registration system. The key you send to the user in an email, embedded into a link which they click as you said.

"Was this helpful?" button

I'm wanting to create a "Was this helpful?" button, just with the options Yes/No. I don't have a database ready to receive the input, so, I'd just like each button to simply send an email to me if it was clicked. Maybe the email could just say, "a site user found this page helpful/unhelpful: [URL]".
I've coded email feedback forms in PHP before but can't think of where I'd start with this. I'm not sure if an email can be sent with just one click of a javascript button. Does anyone see this as a possibility?
You could use a library such as jquery to do an ajax post to a proxy PHP script:
$.post("/likedthis.php", { 'page': window.location.href},
function(data) {
// Deal with the post results here if you want
alert("Data Loaded: " + data);
});
Though one issue you will run into is people refreshing and clicking multiple times, potentially spamming you with email. A good basic protection against this is to set a $_SESSION variable or cookie with their IP address, and the page, so they can't keep clicking again and again.
Please note however that they can simply use another IP address, or say another page is helpful. However that would be a lot of work just for that.
Also for sanity purposes it would be a good idea to also check the page variable against parse_url() to be safe.
You cannot directly send an email through JavaScript. Here's one way you could do it:
Using JavaScript, add a click event listener to the button, which, when fired:
Disables the button, then
Sends an ajax request to the server, instructing the server to send the email
Using a cross-browser library will make writing the JS part of this simpler:
What cross-browser JavaScript libraries exist?
You wouldn't want to send an email in Javascript, even if you could. You'd need access to an SMTP server and you'd have to pass your credentials to that server. By using JS, your entire code will be client side and so your credentials would be easily obtainable. Are you able to use a server-side language?

Categories

Resources