This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
how to confirm email source
I would like to know how do email services such as Hotmail and Yahoo confirm that the "From" header was not spoofed. I mean, you didn't try to send an email in behalf of someone else.
I was now trying to spoof on Facebook Messages, using a php script to send an email to my #facebook.com email, spoofing the "From". I received it in behalf of that friend account. However, an alert saying "Unable to confirm --Friend Name-- as the sender." appeared.
What does Facebook (and other services) do to confirm that?
Please note that extensions (emailname+extension#mydomain.com) would not work for me. My idea is to simulate something similar as Facebook Messages support for emails.
I believe that just checking headers is not enough. I assume I'll have to check DNS/SPF stuff, but I'm not sure how to do that, and even what to do.
It would help me allot if you could indicate me some "algorithm" (preferentially in php) with steps to check for spoofing. Thank you!
As a domain owner you can implement SPF into your DNS zone. It allows you to set IP addresses of servers that are allowed to send mail on behalf of your domain. If another IP tries to send mail with your domain name as sender, it will be rejected by any mailserver that checks for SPF (and luckily, more and more start doing so!). There is never a hard guarantee that no one will ever send spoofed mail out of your name, but it significantly reduces the chance.
As Oldskool suggests, SPF is a widely used method for detecting falsified From (and reply-to) addresses - however most email providers use a much wider barrage of checking to seperate spam from ham.
Spamassassin is an open source project provide both a management program and a set of plugins (and an API for developing your own) including SPF for validating emails.
Related
This question already has answers here:
PHP mail function doesn't complete sending of e-mail
(31 answers)
can't send email to addresses at my own domain
(19 answers)
Closed 4 years ago.
I've run into a quirky GSuite/Gmail deliverability issue from a PHP mail() form on one of my websites. Here's the scenario in as much detail as I can give:
We have two businesses (A and B), each with its own domain. Both domains are set up in our corporate GSuite instance with BusinessA.com being primary.
I recently built a new website for BusinessB.com. The contact form on the site is programmed with PHP's mail() to email the form responses to 2 BusinessB.com addresses, however, the emails are not coming through. We've done the obligatory spam checks, and I've set up a new test account for BusinessB.com (testb#BusinessB.com). No BusinessB.com form response make it to the inbox. (Regular inbound and outbound email is working properly.)
To troubleshoot I added my BusinessA.com email along with an external (non-GSuite) Gmail address to the recipient list, both receive the form submissions with no issue.
Next, I added the alias testb#BusinessA.com to the testb#BusinessB.com test email address. When I add this alias to the recipient list, the form submission also comes through with no issue.
Last, I tested an existing BusinessA.com GSuite Group that forwards to the two original BusinessB.com addresses. The form responses sent to this group forward on to the two original recipients with no issue at all. (This is currently in place as a work-around, but I still need to resolve the issue)
Since the BusinessA.com address, the external Gmail address, the alias address, and the Gsuite Group all receive the email, I don't believe it is a result of a coding error.
It is important to note that prior to Business B's new domain and website they had a different domain, which resides also on the same hosting provider and is also set up as a domain in our corporate GSuite instance. There had been no form deliverability issues previously.
This leads me to believe it is something in GSuite on the domain level.
Are there domain specific settings that I am missing? Could it be a DNS record is needed? Am I thinking through this wrong?
UPDATE - solved the issue. After multiple additional attempts at rephrasing my search, I ran across this: can't send email to addresses at my own domain, while not the same question per se, #user2428118‘s answer did the trick. It was a setting in cpanel that made the difference. I already had the MX records that he mentioned so it was as easy as selecting the option of ‘remote mail exchanger’.
I'm using Mandrill to send E-Mails in my PHP Project and integrated it via the API. So far so good E-Mails go out and arrive their recipient, but something bothers me about the missing SPF and DKIM entries.
When the E-Mails are opened in outlook the "on behalf of" issue occurs (FAQ from mandrills KB). But I can't fix this, since too many of our customers do not have the necessary skills/ access-rights to create a SPF entry for their domain, so we learned to live with that.
We verified our own domain at mandrill to use it as custom sending-domain to get rid of the
from: reallyLongString#mandrillapp.com on behalf of customerName#customerDomain.com
and exchange it with
from: mailbot#ourDomain.com on behalf of customerName#customerDomain.com
but somehow I can't get this to work!
I cannot find an option to set "mailbot" as sender. Even worse, Mandrill makes up a phantasy e-mail-address consisting of customerName#ourDomain.com. If some customer gets the idea to send to this address we've got a disaster upcoming. Also the API does not specify anything like that in the "Messages"-Section.
How can I configure mandrill to send E-Mails with a from-field appearing in outlook like this:
mailbot#ourDomain.com on behalf of customerName#customerDomain.com
? Really cannot find anything in the docs or the web. Thanks in advance!
As Sanuel Jackson already indicated, there is no way to do this WITHOUT doing the whole certification process of creating a SPF entry.
Also confirmed by Mandrill support (which was quite fast AND competent in responding)
I'm now sending with a proper reply-to address and hope, that our customer's customers ignore the funky e-mail adresses... In case they do mind them, our customers are free to engage us regarding a SPF-entry ;-)
this was ask over and over and still no good solution!
When someone sends an email using php and placing another domain in "from" it will end up in spam.
Solutions normally are:
- Use your "from" and place the domain you want in the "reply-to";
- Have your domain whitelisted by main mail services.
The 1st its not really a solution and I was never able to make 2nd, because its impossible to reach hotmail.com, yahoo.com, etc..
I see lots of sites today having the option to email article to someone from the user email. How can I achieve this?
Thx,
Telmo Cardoso
When someone sends an email using php
and placing another domain in "from"
it will end up in spam.
This is not neccessarily true.
Check which mail servers identify your message as spam. Also check with your hosting company for their preferred method to send out mail.
Try to be straightforward with your message. Offer the users a short textarea (with your default masage), which they can change and customize. Also give the possibility to enter real name of the participants with their e-mail addresses.
Just be senible and your messas will go thru.
Send the email from your webserver and add a reply-to header like you have mentioned.
Make sure you have SPF setup for your server to help get yourself into the gMail, Live Mail and Yahoo accounts.
A nice and cheap alternative is to send your emails via Amazon SES to avoid having to warm your own IPs etc.
I would go with the Amazon SES (or a similar service) and leave the worrying about getting the server setup right to the experts. Make ensuring deliverability someone elses problem.
This article is a nice starting point:
http://www.codinghorror.com/blog/2010/04/so-youd-like-to-send-some-email-through-code.html
The problem is related to the header of the email. not neccessarily the 'from' address domain. Some spam filters (i.e. cox.net incoming spam filters) will perform a reverse lookup on the IP address that the email came from. If the domain name returned on the reverse lookup is not the domain name of the sending address. Then they will liekly mark it as spam.
I have a website, example.com hosted at godaddy. I was just messing around with PHP's mail function and uploaded the following to my website at example.com:
mail( "someone#yahoo.com", "test", "test message", "From: someone#gmail.com" );
Why does this work? I mean, it shouldn't, right? The "From" address domain isn't "#example.com". Yet, when I check my email at someone#yahoo.com, I get the message from someone#gmail.com... How is it that I'm able to (potentially) send an email from anyone's email account without their password?
This is possible, as in, you can put into the E-Mail headers whatever you want, including a totally arbitrary sender address. You are right, though, security-conscious providers will usually configure their outgoing mail services in a way that allows only sender addresses residing on the server the mail gets sent from; but they don't have to.
Also, on the receiving end, messages where the sender address belongs to a domain that is not associated with the sending mail server very often end up in the Spam folder.
It's (as you already know) very bad practice to make use of this. As to whether the provider is at fault - it could be anything from a sign of trust (if you are the only user on the server, or one of select few clients) to carelessness. You may have reason to complain because if one of your web hosting neighbours misuses this to send spam, the server's IP address might get blacklisted, causing any E-Mail coming from it (legit or not) to get caught in spam filters.
it's because of email format specification.
have a look at the email's header specification, you might refer to the http://en.wikipedia.org/wiki/Email#Header_fields
that is the reason why one should never trust the "from" information once you receive an email.
This is why systems like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have been introduced.
SPF allows admins to define where email for a particular domain is supposed to originate. In your example, and assuming that SPF records were set up, the records would show that the Go Daddy host from which the mail was sent was not an authorised sender for the gmail.com domain. A (Yahoo) mail server that receives that mail and does SPF validation would probably reject the mail.
DKIM uses digital signatures to allow a sending mail server to show that an email came from the domain it says it came from. In your example, you wouldn't be able to sign your email and make it look like it really came from Gmail, because you don't have their key.
Both these systems require proper SPF/DKIM records to be set up, and also require that the mail server that handles the email for its recipient actually performs the validation.
So don't worry: this problem is being worked on :-)
Whether you should be able to do this is basically a matter of who you ask. The email RFC states that you should. Best practice for hosting and ISP says you shouldn't.
So seen from PHP point of view. Yes you should
Edit:
And btw you're not sending the mail from somebody's account your simply stating that you email is something differrent from what's actually true. Which is basically the same as introducing yourself to a stranger as, let's say "Bill Clinton". If the receiver is paying attention they'll know it's wrong. In the real world because you don't look like him and in the email world you can simply test if the sending server is allowed to rely from that specific domain.
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?