My use of Pear to relay one of our site's users ('sender') email to another user ('recipient') fails because the recipient user always receives the mail in their spam folder. For the explanation below, our website is called "oursite.com."
I have narrowed this down after 2 solid days of lots of experimenting to the "From" part of the 'headers' as follows (for the sake of this example, my name is Sam Hambone and I have no idea how the 'From:' in the title of the email is grabbing my name and using it as described below):
$senderEmail = "IamTheSender#gmail.com";
// this version of the 'from' variable makes the 'From' in the email's title
// look correct, like this: "IamTheSender#gmail.com (IamTheSender#gmail.com)"
// but when the recipient gets the mail, it will ALWAYS go into the 'junk'
// or 'spam' email folder of the recipient's inbox. NOTE: using angle brackets
// instead of parentheses here changes nothing.
$from = $senderEmail . " (" . $senderEmail . ")";
// this second version of 'from' makes the mail arrive correctly
// in the recipient's Inbox and not in their spam/junk folder, but
// the "From:" line in the email's title looks like this:
// "Sam Hambone (IamTheSender#gmail.com)"
$from = $senderEmail;
EDIT: here is what the email's title and headers look like using the 1st version of 'from' above -- in this case I sent an email to myself as the recipient:
'Sender has a question for you, Mr. Recipient!'
Sam Hambone (IamTheSender#gmail.com) << this is wrong -- it's mixing my (recipient)
real name with the sender's email address!!
To: sammyhambone#hotmail.com
From: IamTheSender#gmail.com
Sent: Fri 10/18/13 5:49 PM
To: sammyhambone#hotmail.com (sammyhambone#hotmail.com)
Here is the rest of the code -- this code successfully sends out the email, but by using one of the above versions of the from variable, I either find the email go to the recipient's Junk folder or the 'From:' part in the email's title is screwed up as described above:
$theRecipient = "aLoyalUser#hotmail.com";
$to = $theRecipient . " (" . $theRecipient . ")";
$subject = "the subject is Pear and emailing.";
$body = "Ach, megotts lads, comes the blarney stone."
$host = "smtp.1and1.com";
$port = "25";
$username = "myAuthName#oursite.com";
$password = "12345";
$smtp = Mail::factory('smtp',
array ('host' => $host,
'port' => $port,
'auth' => true,
'username' => $username,
'password' => $password));
$headers['From'] = $from; // one of the two 'from' versions given above
$headers['To'] = $to;
$headers['Subject'] = $subject;
$mail = $smtp->send($theRecipient, $headers, $body);
// tried this, no help
$mail = $smtp->send($to, $headers, $body);
I need to get the Sender's email message to the Recipient's Inbox but the "From:" part of the email's title must not say "Sam Hambone (IamTheSender#gmail.com)".
What's missing here?
The best example of a website that probably everyone is familiar with is -- I have noticed that sites like Craigslist are always able to get emails routed to me when I place an ad to sell something (clothes, furniture, etc.)
There are other examples where a website 'relays' one of their user's email to my inbox successfully. That is what I was after, as that is what our site needs to do -- when a user needs to contact another user they send an email through our site (since that's how they came to be aware of the other user) and we need to relay their email to our other user.
No one (yet?) seems to have concrete experience on how to do this, so I'll close out this question in just a bit.
As you may or may not know, there is a war on spam *. This is because spammers are so prolific that they're using a significant amount of resources on servers like processing power (for filtering spam). They also threaten to ruin the usefulness of things like e-mail if we do not stop them. Therefore, because they're a major practical concern, there are all sorts of very sensitive spam filters across the internet that will put you in junk mail for reasons ranging like sending to too many messages that bounce, sending to a particularly unlucky inactive e-mail address (called a spam trap), etc. It is conceivable that the anti-spam software that is running is using this particular e-mail from format as one of it's heuristics to detect spam. It might be argued that using this as a heuristic is irrational or overly-sensitive, but as I've mentioned, the war on spam has resulted in some spam filtering mechanisms that are quite sensitive. If you want to do a test, perhaps try white listing the from e-mail address or turning off the spam filter(s) (in addition to server-side filters, e-mail clients and virus scanners may include some filtering abilities) and see if the spam filter is the culprit.
Update: Now that I am aware of the purpose of this e-mail software (to relay a message sent from the site from one user to another user, while presumably protecting their privacy) I can provide a better suggestion:
The notifications that I receive from websites to tell me that a user has messaged me simply contain the name of the website in the from line rather than a person's name. Example:
Website Name (no-reply#websitename.com)
(Note - it could be important to some spam filters that the website name in the from line matches the domain name exactly.)
If that doesn't seem to make it through the spam filter, I would try the following ideas:
Check out other "from" lines from other websites to see how they're doing it and try out any patterns you find.
Consider signing up with an e-mail reputation service to see whether they can help you.
Test to see whether this quirk is a big issue or a small one by determining which specific piece of spam software is flagging these, and then finding out how many users they have. You could also try sending these e-mails to a variety of other e-mail services to see whether they junk them. It may be that you have some old or unpopular spam filter here that's behaving in a way which actually is not indicative of what will happen to most of your e-mails.
Citation: "Spam Wars" by MIT Technology Review
Related
I am sending an e-mail from my php code when certain events occur (i.e., someone posts a reply to a message on my message board). I used this simple code:
mail (me#aol.com, 'Someone Just Posted a Reply.', 'Check the message board, because someone just posted a reply.');
The code executes and I do receive an e-mail. The problem is that when I get the e-mail, the "from" line in the e-mail gives away my cpanel login for my GoDaddy hosting account. I cannot seem to find anything on GoDaddy's site that explains how to disguise this or change this to just reflect the name of my website rather than give away my login to all users every time I send a push notification.
You have to use the headers in the PHP's mail() function's additional_headers parameters to add more stuff, but this may possibly cause deliverability issues.
This is typically used to add extra headers (From, Cc, and Bcc). Multiple extra headers should be separated with a CRLF (\r\n). If outside data are used to compose this header, the data should be sanitized so that no unwanted headers could be injected.
With above being said, your updated code should look something like:
<?php
$headers = array(
'From' => 'webmaster#example.com', // Add your from address.
'Reply-To' => 'webmaster#example.com', // Add your reply to address.
'X-Mailer' => 'PHP/' . phpversion() // Optional stuff.
);
mail(
"me#aol.com",
"Someone Just Posted a Reply.",
"Check the message board, because someone just posted a reply.",
$headers // This way
);
Note: Make sure the above code is written in a single line. 😇
I have a code in PHP that sends emails to users and its working as expected. I need help in figuring out as how to send email to a group defined in lotus notes. So basically there is a group existing with some name as DEV TEAM and if I type this directly, PHP throws 501 Syntax error, parameters in command..... So, is there a way to figure out as how to retrieve the email address format for this group or any other way to send emails.
I know with all you gurus here, I will get some solution definitely:).
Thanks for any help in advance.
Please let me know if I can provide any other details.
Code through which I am able to send emails to users but not to a group in lotus notes.
<?php
$to = "testuserto#domain.com";
$subject = "TEST EMAIL";
$message = "Hello! Its is test email.";
$from = "testuser#domain.com";
$headers = "From:" . $from . "\r\n";;
$headers .= "Content-Type: text/html";
mail($to,$subject,$message,$headers);
?>
See my comment on your question. If my assumptions are correct, then the administrator of your Domino server must check the following:
DEV TEAM is a valid group in the Domino Directory, with type "Mail Only" or "Multi-Purpose".
There is no readers field on the DEV TEAM group that would restrict anonymous users from sending to it.
There are no mail rules or restrictions in the server's config document that prevent messages from being sent to the group.
The Internet Address field in the DEV TEAM group document in the Domino Directory has been configured. This should be a valid RFC-821 address, such as DEV_TEAM#yourDomain.com (This is probably optional, but it makes it easier to document the solution.)
Once you have confirmed the above configuration information, your code should use the value that was configured in Internet Address field of the DEV TEAM group in the Domino Directory. (I.e., DEV_TEAM#yourDomain.com)
My guess is that is has got very little to do with the fact that it's a Domino server. I assume the address(es) in $from or $to are malformed. See also http://www-01.ibm.com/support/docview.wss?uid=swg21105288, concerning strict RFC821 format, where '<' and '>' are required.
In any case, mail to "dev team#domain.com" won't work, the address is invalid.
Could you advise me how do I go about preventing email injection in PHP mail() without losing original message data? E.g. if I need to allow user to use \r\n, To, CC etc, so I do not want to completely strip them away from the message - I still want them delivered, but without adding any additional headers or somehow allowing mail injection to happen.
Most of the advices on internet suggest stripping that data away completely - but I do not want to do that.
I am sending plain text (non HTML) messages through PHP mail() function.
What would you advise?
To filter valid emails for use in the recipient email field, take a look at filter_var():
$email = filter_var($_POST['recipient_email'], FILTER_VALIDATE_EMAIL);
if ($email === FALSE) {
echo 'Invalid email';
exit(1);
}
This will make sure your users only supply singular, valid emails, which you can then pass to the mail() function. As far as I know, there's no way to inject headers through the message body using the PHP mail() function, so that data shouldn't need any special processing.
Update:
According to the documentation for mail(), when it's talking directly to an SMTP server, you will need to prevent full stops in the message body:
$body = str_replace("\n.", "\n..", $body);
Update #2:
Apparently, it's also possible to inject via the subject, as well, but since there is no FILTER_VALIDATE_EMAIL_SUBJECT, you'll need to do the filtering yourself:
$subject = str_ireplace(array("\r", "\n", '%0A', '%0D'), '', $_POST['subject']);
Suppose you you want to put the email address of the visitor in the optional header field like so:
$headers = "From: $visitorEmailAddress";
However, if
$visitorEmailAddress
contains
"address#email.com\n\nBCC:spam#v1agra.com"
you've made yourself a spam host, opening the door for mail injection.
This is a very simple example, but creative spammers and malicious hackers can sneak potentially damaging scripts in your email, since email is sent as a plaintext file. Even attachments are converted plaintext, and they can easily send attachements by adding a mimetype content line.
If your form validation for the FROM and/or TO fields is OK, you have to look at the form validation for the body of the email. I'd strip out the '-=' and '=-' characters, and prevent users from typing plain HTML by using strip_tags().
Try this for a review of various options:
http://www.codeproject.com/Articles/428076/PHP-Mail-Injection-Protection-and-E-Mail-Validatio
It covers several options and tries to explain the benefits and risks of each.
Use a designated mime email library, like Mail_Mime:
<?php
include 'Mail.php';
include 'Mail/mime.php' ;
$mime = new Mail_mime();
$mime->setTXTBody("Message goes here");
$hdrs = $mime->headers(array(
'From' => 'you#yourdomain.com',
'Subject' => 'Test mime message'
));
$body = $mime->get();
$mail = &Mail::factory('mail');
$mail->send('postmaster#localhost', $hdrs, $body);
?>
I'm using Amazon SES to send bulk emails to my users. Some emails is marked as spam though. What can I do mitigate the spam marking?
code in PHP:
$ses = new AmazonSES();
$destination = array();
$destination['ToAddresses'] = $email;
$message = array();
$message['Subject.Data'] = "Domains: $contactsName have made a descision";
$message['Body.Text.Data'] = '';
$message['Body.Html.Data'] = " Hi $firstName!
</br>
</br>
$contactsName have made a descision regarding $title at $link
</br>
</br>
Sincerely,
</br>
</br>
The Domain Team";
$message['Body.Html.Charset'] = 'utf-8';
$response = $ses->send_email('info#domain.com', $destination, $message);
There are many questions around this which will affect your spam reputation, but some quick ones:
How many users are you sending to (approximately)?
Do you always send emails to these users from this IP address?
Have your users opted-in to receive emails? Do they have an ongoing email relationship with you? Do they normally read emails that you send to them, or just delete them without looking?
Is your HTML valid? (From the above example, it appears than no - it should be <br/> not </br>.)
These are a few quick questions. The best quick advice I can give you is to make sure the users are opting-in, and encourage them to add you to their friend list. Try to send every email communication between you and them from Amazon SES.
I am not familiar with Amazon SES, but I will have an attempt at this one.
There is an interesting discussion, specifically dealing with email sent through Amazon SES and getting marked as Spam here - AWS Forum: "Email marked as spam CLOUDMARK"
Along with the points raised there, a couple of suggestions:
Always include a Text version of the content, some spam filters may interpret HTML-only emails as more likely to be spam (which they often are), plus some users may only have text-based email clients (some mobile users, etc.)
Check your spelling. Incorrect spelling is normally a dead giveaway for spam emails, and may result in people manually marking emails as spam without looking very closely.
(If possible.) Add a "From" Name. Again, if the email comes from a plain email address, rather than a Human-readable one which is appropriate to your message, it is more likely to look like spam (either to a filter or to a user).
Here is a suggested amended code (corrected spelling and HTML markup):
<?php
$ses = new AmazonSES();
$destination = array();
$destination['ToAddresses'] = $email;
$message = array();
$message['Subject.Data'] = "Domains: $contactsName have made a decision";
$message['Subject.Charset'] = 'UTF-8';
/* NOTE: Lines are broken for readability only */
$body = "Hi $firstName!<br>".
"<br>".
"$contactsName have made a decision regarding $title at $link<br>".
"<br>".
"Sincerely,<br>".
"<br>".
"The Domain Team";
$message['Body.Text.Data'] = str_replace( '<br>' , "\n" , $body );
$message['Body.Html.Data'] = $body;
$message['Body.Html.Charset'] = 'UTF-8';
$response = $ses->send_email('info#domain.com', $destination, $message);
Made a small contact form on php, it gets $_POST variables and mails to me.
<form action="/myscript.php" method="post">
Small piece of code:
$subject = trim($_POST['subject']);
$comment = trim($_POST['comment']);
mail($email, $subject, $comment, $headers);
$email is mine mail address, $headers are usual.
There is no filtration for subject and comment. Can it be a potential security hole to my site?
My mail is placed on gmail.com. Can unfiltered mail from my site hurt me, when I open gmail interface in browser?
How should I filter all the variables? Maybe I wish echo some of them on my site, after sending an email. (like 'Thanks, %name% !')
No, it's not that dangerous. Gmail doesn't trust the e-mails you receive, otherwise every spammer would be able to compromise you.
However, it's a good practice to, at least, check if the variables exist and if their length doesn't exceed the maximum.
EDIT It's possible that old versions of PHP were vulnerable to e-mail injection attacks, as described here. It would not compromise your site and your e-mail client should be able to handle malicious e-mails safely, but could potentially turn you into a spam relay.
New versions do not exhibit this vulnerability, because all the control characters (those below 0x20) are sanitized. You can do the same sanitation like this:
$subject = filter_input(INPUT_POST, "subject", FILTER_UNSAFE_RAW,
FILTER_FLAG_STRIP_LOW);
if ($subject === false) { /* subject not given/not scalar; handle it */ }
Yes, it is dangerous, vulnerable to attack called Mail injection.
Though it can not hurt your site but can be used by spammers.
$subject = "Site feedback";
$comment = trim($_POST['subject'])."\n\n".trim($_POST['comment']);
mail($email, $subject, $comment);
this one would be safe.
probably you could check http://swiftmailer.org/ a php mailer component-library in order to compare your solution with it. Swiftmailer is the mailer solution for frameworks such as symfony-project.org .
plain text is not an issue for a website, attachments are, but comment and subject would not create any problem in your server. regarding gmail, it has its own email verification consequently it would be difficult for an email with virus or similar to pass their analysis.
rgds.