I am asking this question just because I am curious and probably it is a really dumb and very well known thing but I couldn't find an answer online:
Today I was helping a friend with his website. He asked me to prepare an html e-mail template that he can send via his website (e.g. www.myfriendswebsite.com) with phpmailer. I prepared it and tested in my domain/server by putting his e-mail address (e.g. info#myfriend.com) in "from" part. I sent an e-mail to my personal e-mail address (e.g. myname#hotmail.com) via my website (e.g. www.mywebsite.com) and when I received the e-mail I realized I don't even see my domain's name or e-mail address (e.g. info#mydomain.com); instead I see my friend's e-mail address (info#myfriend.com). When I hit "reply" it replies to my friend's address; it looks like it has been sent from my friend's website directly. Of course; if I pull up the raw source I see the details of where I received the e-mail but what prevents someone else using my e-mail address and spam people? I am pretty sure this is another way of spamming and hacking people's accounts but is there a way to prevent that? It scared me a little and I didn't know where else to turn but Stackoverflow :)
For one, you should not send emails whereby the From: is populated by user supplied data; use the Reply-To: header for such purposes.
The reason you shouldn't do that is because inbox services, such as Google Mail, Yahoo, etc. use the Sender Policy Framework (SPF) to determine whether the mail server that sent the message is authorized to send on a domain's behalf; you would risk messages sent from your server to get recognized as spam and not delivered.
So, to answer your question, even though it's possible to masquerade anyone's email address, it's getting increasingly more difficult to get those messages delivered due to improving spam filters and black lists, and doing so can even get your mail server blacklisted.
what prevents someone else using my e-mail address and spam people?
Nothing. Imagine a postcard, what prevents someone else using your address and send postcards out into the world? Nothing.
The same is for email, the postcard of the internet.
Editing your headers like this will/should fix the problem.
$headers = 'From: info#myfriend.com' . "\r\n";
$headers .= 'Reply-To: info#myfriend.com' . "\r\n";
$headers .= 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
Related
Recently AOL has started rejecting emails sent from my production server.
Customers make product enquiries through my site and can "cc" themselves if they wish. I check for spam (e.g. don't send if request contains banned phrases, urls, etc). However, recently, if the enquirer is an AOL customer, the message bounces:
<*removed!*#aol.com>: host mailin-04.mx.aol.com[64.12.88.132] said: 521 5.2.1 :
AOL will not accept delivery of this message. (in reply to end of DATA
command)
Email protocol is not my area of expertise! I just use the standard PHP mail() function and this has worked ok for years.
I have looked through the AOL Postmaster support pages and contacted AOL (which, obviously, was my first port of call - but they have yet to respond), plus I don't really understand the problem (which is 50% of finding the solution!).
http://postmaster-blog.aol.com/2014/04/22/aol-mail-updates-dmarc-policy-to-reject/
...it seems as though AOL are saying "we don't like the way that you send emails, sorry to inconvenience you..."
If anyone has any experience or specific insight into how to get AOL to accept emails then I would love to hear from you. I'm guessing that it could be something to do with how my emails are formed: this hasn't changed in years and (previously) I've had no reason to look at the code:
Here is an edited version of how I send emails...
$recipient = "\"$supplier[supplierName]\" <$supplier[supplierEmail]>";
$subject = "$supplier[supplierName] enquiry";
$headers = "MIME-Version: 1.0".PHP_EOL ;
$headers .= "Content-type: text/html; charset=utf-8".PHP_EOL;
$headers .= "Reply-To: \"$cleanArrayEmail[realname]\" <$cleanArrayEmail[email]>".PHP_EOL;
$headers .= "From: \"Admin\" <ADMIN_EMAIL>".PHP_EOL;
if ($_POST['cc']){$headers .= "cc: \"$cleanArrayEmail[realname]\" <$cleanArrayEmail[email]>".PHP_EOL;}
mail ($recipient, $subject, $msg, $headers, '-f'. ADMIN_EMAIL );
Many thanks
Steve
To the best of my knowledge, AOL indeed rejects mails, which either claim to be from AOL (FROM header, DMARC), or mails, which are not from AOL, but use an AOL address as Reply-To header. However, I cannot say whether this is due DMARC or not. I hence can confirm what Steve is saying, I noticed the same behavior in my application.
As soon as the Reply-To header is removed or changed to a non-AOL address, the mail is delivered correctly. It is however interesting to note, that only the AOL customer which is put in the Reply-To field does not receive the mail. If there are other AOL-mails in the TO header, those delivered and not blocked.
I mentioned that I am not sure, whether they reject it due to DMARC or not. An interesting hint can be found at the AOL postmaster blog introducing DMARC. Here it is explicitly recommended to use the Reply-To line and put the actual address in there. Further, mails rejected to a failed DMARC check are normally rejected using an error code noting the failed DMARC check.
Ditto what waza-ari said (AOL will not deliver email that is sent from a non-AOL server with a Reply-to containing an AOL address) - and this also applies to addresses containing a Compuserve address. I have heard it also applies to Hotmail & Yahoo addresses, but have not personally experienced that.
I have system code that emails 2 people if one of them accesses the other's research data (it's a collaborative research system, so users want to know if another person shares their interests). I prefer to have the Reply-to contain only their two addresses, as I don't need to be part of the subsequent conversation. However, I can't put an AOL/Compuserve address in the Reply-to field, as it will be rejected.
My solution is for the code to parse the user addresses and if either is in one of those domains, it substitutes our site's "info#" address as the Reply-to address, and the body of the email shows both user's addresses and tells them to email each other. This might not scale well to a larger customer base of users who ignore instructions and just hit Reply. It works well for me, but I probably generate less than 100 of these emails per month, and in a year of using this code, I've never had someone accidentally reply to me. I use the same "parse and substitute" code in our contact form where a user's email address would normally be inserted as the Reply-to.
AOL recently implemented DMARC Rejection, as did Yahoo before them. What this means is that if your PHP code attempts to send an email that claims to be FROM a Yahoo.com or AOL.com address, it will not be accepted by the recipients mail server, be it AOL, Yahoo, Gmail, or anyone else that supports DMARC.
Look at your email FROM address, is it AOL or Yahoo? If so then DMARC may be your problem, if not than it's probably something else. DMARC policies are set in DNS records for every domain, you can use this tool to check the DMARC policy for your FROM domain.
https://dmarcian.com/dmarc-inspector/aol.com
I created a html newsletter and I want to use php mail() function to send the newsletter to customers email address in the user database. Before doing it, I test serval address that include gmail, hotmail, AOL, and yahoo. The gmail and yahoo instantly receive the html format email and everything works well(style and image displayed as designed), however the hotmail and AOL are not receive anything. I test sending a simple text email using mail() to hotmail and AOL, after waiting for long time (one night), they are able to receive the text format email. So I don't know what is wrong with hotmail and AOL. Is anyone having the same issue and knowing how to fix it?
Here is my header setting
$subject = 'News Letter';
$headers = "From: sales#example.com\r\n";
$headers .= "Reply-To: sales#example.com\r\n";
$headers .= "Return-Path:sales#example.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-Type: text/html; charset=ISO-8859-1\r\n";
mail($email, $subject, $message, $headers);
Make sure your $message has proper html and also has the tags as well. You can try sending a real email message, some of the larger companies will block spam messages. If your message is just "test" or "testing" then you may never get it. You may also have issues with being blocked if you are sending from a shared hosting server or IP.
A sure fix is to setup an actual email account, and send mail through there using SMTP.
Here's an answer with SMTP using PHPMailer().
Sending email with PHP from an SMTP server
Check if you have set-up SPF records for the domain that you use in From: header.
As a spam protection, those services may check if your server is allowed to send e-mails for that domain (setting-up SPF records solved my problem of Google marking mail sent by my server as spam, AOL or Hotmail may be more restrictive..)
More info about SPF records can be found here: https://en.wikipedia.org/wiki/Sender_Policy_Framework
Also check out DKIM: https://en.wikipedia.org/wiki/DKIM which may also help in guaranteed e-mail delivery.
I want to let users share information on my site by sending an email to a friend. Before I go to far I want to make sure I won't get blacklisted for doing something incorrectly.
If my domain is example.com can I set the mail FROM header to the email address supplied by the user?
For example, I want to share a page at example.com with my friend Bob. Bob's email address is bob#domain.com and my email address is me#anotherdomain.com. When example.com sends an email to Bob(bob#domain.com) it will set FROM to my email(me#anotherdomain.com).
Is this an issue since the email is being sent from example.com but the FROM header contains a domain other than itself?
The following would be sending from example.com
$to = 'bob#domain.com';
$subject = 'Some subject';
$msg = 'Some message';
$headers = 'From: me#anotherdomain.com <me#anotherdomain.com>' . "\n\r";
mail( $to, $subject, $msg, $headers );
Or do I need to do something like the following?
$headers = 'From: me#anotherdomain.com <share#example.com>' . "\n\r";
Any and all help will be greatly appreciated.
There are multiple email headers that give some indication of who "sent" an email and who to reply to. A fairly good, casual writeup of the concept can be found on the page discussing how FormMail handles things.
In general, the Sender is the actual originator of the email message. The From Address, in contrast, is simply a header line in the email that may or may not be taken to mean anything. The From Address can often be left out completely. Spammers can easily spoof the From Address. ISPs try to ensure that spammers cannot spoof the Sender.
It sounds like what you might want is:
Sender : your site/program
From : either your site or the user
Reply-To : the user
What you write in the from header isn't that relevant. Important is that you you use an envelope sender address from your domain. This is checked against SPF for example. If you want the recipient to be able to reply to me#anotherdomain.com you need to add a reply-to header as well.
No, it really DOESN't matter which From: header email has been set
Why didn't you try it?
Many, if not most, email servers are not registered for a specific domain, the bigger issue is if your server correctly identifies itself (having a reverse lookup entry can help) and make sure it's not blacklisted. You can use a service like: http://www.dnsbl.info/ to check.
Most hosts with dynamic IPs are considered suspect, but even a dedicated VPS can be listed, so it's worth checking. You should also correctly format the headers as outlined in some of the other responses. If this is for a critical application (e.g., you are charging people and they expect to get mail), you should consider a 3rd-party SMTP which should take care of making sure you don't get blacklisted.
I've configured several headers in the mail() function, sender name and other fields appear as set. But, in the gmail mailed-by field, I see the hostname of my server, even though I've set the Mailed-By header to be different... Is there a way to change this, or am I specifying the wrong header to effect the change?
Current Headers:
From: no-reply#example.com
Mailed-By: Example.com
X-Mailer: Example/1.0
If you post the headers you are sending it will be easier to diagnose the issue. But the header should be "X-Mailer" to set the application mailed-by field, as far as I know. If that does not work, post your current headers and we can help you further / better.
EDIT:
Doing some further research, it seems the 5th parameter with the "-f" flag would be the way to do it:
mail($to, $message, $body, $headers, '-fnoreply#yourmailer.com');
Is a possibility. That is generally an email address, so you would have to see what values it accepts etc. I found this information from the Joyent Discussion Board.
But reading that it may not be what you want.
-fname Sets the name of the from'' person (i.e., the sender of the mail). -f can only be used by trusted'' users (normally
root, daemon, and network) or if the person you are trying to
become is the same as the person you are.
From the sendmail Man page. I will see if I cannot strum anything else up.
It sounds like that mailed-by header was added by your mail transfer agent, or gmail, after it left PHP. Sounds like it may be a security measure so abuse reports can be tracked down.
I don't know if this has been solved as it's old but I had the same issue on a contact page from my website. We wanted club members to be able to use a form to contact the officers. But I wanted it to look like it came from the e-mail address the user entered so the officer could respond directly. I found this code and modified it for my site.
$headers = "From: <$email> \n";
$headers .= "X-Sender: <$from>\n";
$headers .= "X-Mailer: PHP\n";
$email is the address the user entered. I can't say I understand it all but it solved my issue.
You Cannot Set the Mailed-by option of your own.
you have to publish your spf record and should have DKIM signature for this.
For extra Information click on this link.
https://support.google.com/mail/answer/180707?hl=en
I am using php and mysql. And my site is in flash (full flash site)
I have a website which let users to sign up. The signup process including sending "activation email", click link to activate account.
The first two weeks was fine. Out of around 2000 users, 1800 users are activated. After that, the activated users drop drastically, to about 30%. Example: 1000 users signup, only 300 were activated.
At first, I found the problem is because the email could not be reach to ymail, msn and gmail users. (Most of my subscribers are Ymail (yahoo), hotmail/msn(live) and gmail (gmail)). I tried signup using ymail and hotmail, but i didnt get any activation email. I contacted yahoo and msn, eventually my email can go through now.
However, my signup statistic still showing, the activated users are only about 30%, which very confuse me. I contact my hosting company, ask them the whitelist my IP. And they did it.
I need your advice/help on following questions:
How to check where the problem lies? Is the email not delivered? User receive email but didnt click the activation link?
I am using php mail funstion. and this is my headers:
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=UTF-8' . "\r\n";
$headers .= 'From: Admin <\admin#domain.com>' . "\r\n";
$headers .= 'Return-Receipt-To: Bounce <\bounce#domain.com>' . "\r\n";
$headers .= 'Reply-To: Admin <\admin#domain.com>' . "\r\n";
$return_path = "\bounce#domain.com\";
(I hide my domain name, and i add backslashes within emails, cuz if not, the email wont show here, weird)
Is there anything wrong with the headers?
What can I do to improve my registration/signup activation process?
You should pass your return path as "-f" parameter for mail() function:
mail(
$this->recipient,
$subj,
$this->body,
$this->compose_headers(),
'-f ' . Options::obj()->mail->return_path);
Also, for the best results, if the sending server has a public domain name example.com, the return path should be something#example.com.
Anyway, you should definitely check the logs (/var/log/mail*) to know exactly what's going on.
Try using gmail as your smtp server istead of mail server like sendmail from a domain. Using gmail smtp would kinda ensure that your mails are sent on best effort surity. Also Gmail would not be treated as spam unless email id is marked as spam (so try using a one which is safe). To improve singup->activation through put your best bet is to ensure that email is reaching user's inbox.
For safety net you can have a feature in which you allow user to resend the activation link if the first one failed for some reason.
If you are uncomfortable using gmail as smtp, you can sign up ur domain with google apps (but that might require changes in business needs) and you can have admin#domain.com kind of email and still use efficient gmail smtp servers.
There are many libraries out there like phpMAiler which allows to use external smtp servers. Note all data through gmail servers go via SSL or TSL.
Do you have access to the log files of the email server sending out the registration emails? Any bounced emails normally go back to the sending server. By monitoring the log files you can check and see what number of emails (if any) are still getting bounced back.
What kind of access do users have to your web site without an activated email address? Are any features disabled? Are there any incentives to activate or use a real email address?
Your example doesn't show a Date header which is a required field. In my experience some mail handlers reject emails that don't have one (and some just add one with the current date.) If your actual code doesn't have one then try adding one and seeing if it makes a difference.
Search for RFC2822 for information on what is required,