I'm developing a system which gets emails from PIPE, verify if the email address which from the email was sent is in the client database, and write it into the database.
The problem is that I don't want to have security issues, and if someone sends an email with PHP to the system, it will log it too. So, how can I check if the email was sent by the properly mail server? I was thinking in getting the IP of the mail server of the domain and verify in Email Headers if it was sent from these server. So, if I got an email from test#hotmail.com, it would ping mail.hotmail.com and check if the email came from these IP address.
Anyway, if someone got a custom domain like yourdomain.com, running in a shared cPanel server, other people in these server could send emails with PHP and get the IP verify passed. So, I was thinking in checking if the email was sent with PHP or from a mail server, but I don't know how to do this.
What is your suggestion?
I was thinking in checking if the email was sent with PHP or from a mail server
You will not be able to find out the difference between these two normally. And email sent with PHP can look exactly the same like an email from a mail server and it is likely the case that an email sent with PHP is also an email from a mail server.
You can try to write a detection on your own (your own filter) based on the monitoring you do and finding out about wrong mails (or those reported back from your users if you can not monitor the emails deeply because of law regulations).
I found http://verify-email.org/ for you. They have an API so you can check the email adress by that service.
EDIT
When you check an email adres on the website you see this result:
MX record about gmail.com exists.
Connection succeeded to alt3.gmail-smtp-in.l.google.com SMTP.
220 mx.google.com ESMTP tz3si2159695bkb.62 - gsmtp
> HELO verify-email.org
250 mx.google.com at your service
> MAIL FROM: <check#verify-email.org>
=250 2.1.0 OK tz3si2159695bkb.62 - gsmtp
> RCPT TO: <test#gmail.com>
=550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 tz3si2159695bkb.62 - gsmtp
You can build your own check by logging in to an smtp server and send the commands you see above:
> HELO verify-email.org
> MAIL FROM: <check#verify-email.org>
> RCPT TO: <test#gmail.com>
You can check for errors or success messages in the output you get. I think it's not difficult to build in php.
Eh, this is my first time answering anything so sorry if I misunderstood. Anyways, if you're doing a check for the email in PHP, I have something that might be able to help;
If($_POST['email']){
$Email = $_POST['email'];
$Allowed = array('gmail.com', 'yahoo.com', 'ymail.com', etc..);
If(filter_var($Email, FILTER_VALIDATE_EMAIL)){
$Domain = array_pop(explode('#', $Email));
If(!In_Array($Domain, $Allowed)){
Echo 'Your response here...';
}}}
or for checking the email's characters, you can call a function or check it yourself;
Function checkEmail($Email){
return preg_match("/^[\.A-z0-9_\-\+]+[#][A-z0-9_\-]+([.][A-z0-9_\-]+)+[A-z]{1,4}$/", $Email);
}
So it'd be something like;
checkEmail('email#domain.com');
That checks the input, and if it doesn't have the email characters, you can choose what to do.
Hope this helped!
Yes, there are many Email Verification tools out there. I personally like www.verifyemailaddress.org
But there are plenty of those tools to find.
Related
I am getting an error which says " The response from the remote server was: 550 Unrouteable address " .
My host of the email is valid and working good. But I need something like kjcnjkhb#abc.com.mydomain.com , when an email is sent to such an address it should come to my admin email.
I've enabled " catch all" so if I put any random email swejdnewkdn#mydomain.com , I get it my admin email.
But need an email when such kind of email is entered: dewdjkln#abcdne.com.mydomain.com ,
I believe there are some setting to be done in Exim maybe to solve this. I need all emails which has my host to come in my email.
Thank you in advance
If the error you're describing, "500 Unroutable address", is being generated by the client, then the problem is that there is no DNS MX record for abc.com.mydomain.com. The client doesn't know what server handles abc.com.mydomain.com. Your mail server isn't even being hit.
You may need to configure your DNS with a catchall MX record. Something like this:
*.mydomain.com. 3600 IN MX 10 smtp.mydomain.com.
I want to check entered email address before registering, I found some solutions in SF but these solutions says we should check MX or SMTP port, but we have some fake emails like :
111111#gmail.com
some.email.address#gmail.com
and ...
when I check the gmail.com domain this domain have MX record and there is no problem but this emails are fake !
Is there any way to ping email address with php?
The only thing you can do is send a confirmation email, and ask user to click a link or provide a code you have sent in this email.
You CAN check for the existence without sending a mail.
After you get the MX record, you can use SMTP protocol to communicate with the server directly.
For example: (the lines starting with > means input. )
> telnet gmail-smtp-in.l.google.com 25
Trying 74.125.129.26...
Connected to gmail-smtp-in.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP pa10si7038694pbc.108 - gsmtp
> HELO
250 mx.google.com at your service
> MAIL FROM: <test#test.com>
250 2.1.0 OK rw3si4189390pab.9 - gsmtp
> RCPT TO: <notexists___#gmail.com>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 rw3si4189390pab.9 - gsmtp
If you replace notexists___#gmail.com with 111111#gmail.com:
> RCPT TO: <111111#gmail.com>
250 2.1.5 OK il2si7046221pbc.91 - gsmtp
In PHP, you can use socket functions to do things above.
NOTICE: This approach may not work on some SMTP servers.
The only way i know to check email-addresses is through sending an email to them.
Why do you need to check the e-mail address beforehands? You could just send them an "activation link" what also prooves not only the existance but the person behind the address.
You can send a confirmation mail, so that you know that address works. If that is not an option, you can check of the domain actually exists. That way you disregard something#non_existing_domain.com
// or use ANY or for other see above link
if (checkdnsrr('non_existing_domain.com', 'A')){ echo 'Domain exists'; }
else { echo 'Domain does not exist'; }
I am almost done with a tool to detect if email is valid or not. I am stuck at small point where I have to detect If mail server or domain has catch-all policy enable.
Catch all: mail server will accept all email even if email address do not exits.
Thank you.
There is no 100% reliable way to detect a catch-all of a mail server you don't control yourself.
The most promising way is to generate a random address in the target domain which is definitely not used as a real account and send a test message.
If you don't get a reject while sending and no bounce to the envelope sender address of your script within a few minutes, there could be a catch-all involved. But it could also simply mean that the target server quarantined or dropped your message or that the bounce didn't make it back to you.
If you go down that road, make sure your tool generates valid messages, with all the necessary headers, has correct dns/helo settings, doesn't use any non-rfc smtp shortcuts, etc. in order not to get filtered.
On a side note: if this tool is going to be public, make sure its properly protected. Tools that automatically send mails are popular targets for abuse.
You can identify domain is catchall or not by using Telnet.
Create invalid email address against that domain.
e.g.
domain : example.com
Email Adddress : dummyemail#example.com, invalid.email#example.com
How to Telnet:
Step 1 - Find mail exchanger or mail server of example.com
Commmand :
nslookup -q=mx example.com
Response:
Non-authoritative answer:
example.com mail exchanger = 10 aspmx.l.google.com.
example.com mail exchanger = 20 alt1.aspmx.l.google.com.
example.com mail exchanger = 30 alt2.aspmx.l.google.com.
example.com mail exchanger = 40 aspmx2.googlemail.com.
example.com mail exchanger = 50 aspmx3.googlemail.com.
Step 2 - Now we know mail server so let connect to it.
Command:
telnet aspmx.l.google.com 25
Response:
Trying 74.125.24.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP z79si2772641pfi.381 - gsmtp
Step 3 - Enter helo hi
Command:
helo hi
Response:
250 mx.google.com at your service
Step 4 - Email address from which you telnet to targeted email address
Command:
mail from: <emailaddress#gmail.com>
Response:
250 2.1.0 OK z79si2772641pfi.381 - gsmtp
Step 5 - Target email address which you want to validate
Command:
rcpt to: <targetemailid#example.com>
Response:
250 2.1.5 OK z79si2772641pfi.381 - gsmtp
If you got "ok" for invalid email address then that domain is catchall domain.
A catch-all domain in simple terms means, the server of that company will catch any email sent to that domain, even a non-existent address and store it in a section called the catch-all. When this happens, you have no clue if it’s a legitimate email address or not.
I am piping all e-mails through a PHP script that checks the To address against a database of valid addresses. If it exists, the rest of the script handles it. However, if it does not exist, how can I bounce the e-mail, the same way the server would if I didn't have the script? Thanks!
The mails are recieved through smtp protocol, in your case also i assume that there is some service running on port 25 which would listen to request for mail from external domains.
There are different ways to bounce the message
->bounce at smtp level itself, as in when u get the recipient list, check f
or the id existance and if does-not exists give a 4xx response. The bouncemai
l would then be generated by the senders domain automatically.
-> if you have accepted the mail from the domain say gmail.com then u will
have to make a new connection to gmail with your bouncemessage, this is same
as sending a new mail from your server to gmail.com.
Turns out this was very easy to solve: Simply echo something in the PHP script (for example, "This account does not exist.") and the mailer daemon generates a bounce-back e-mail with this output included.
Is there any way how to check response for e-mail status in PHP script? For example - if I have php script which uses functions like $mail->Send() - is there any way how to check return statuses before sending this email? It just check or send "fake" email or something to know for example if e-mail is full or other errors like these:
Remote host said: 552 4.2.2 User has full mailbox.
Or something like this:
Remote host said: 550 5.1.1 Sorry, no mailbox here by that name.
Thank you.
I really doubt you could do that because it would mean that bad intentioned people could scan servers for email addresses.