I have a site where users register for an account. I have an internal communication system, that sends them an email when they get a private message. I dont force people to confirm their email, so naturally, many enter a fake address.
When they get a PM, it tries to send them an email, but obviously fails, so it keeps retrying and retrying. After a few weeks, the retry queue gets quite big, and it affects server performance (I also dont wanna get blacklisted for all these attempts).
What can I do to solve this issue (other than force people to confirm their email upon registration).
If you don't want to force people to confirm their email because if something goes wrong, they can't access their login straight away, why not do something like this:
If they haven't confirmed their E-Mail, don't send PMs, but show them when they are logged in instead. Remind them to confirm their E-Mail.
If they have confirmed their E-mail, send them out.
But anyway, your scenario sounds like a server misconfiguration. Why would a mail server keep re-sending mails that it got a "not deliverable" message for? As far as I know, re-sending mails only occurs when the receiving host was not reachable for technical reasons.
You really should just require confirmation.
Short of that, you can deactivate users whose emails have bounced a certain number of times, and require a new email at next login.
It will be hard without verifying, but you can at least verify the domain it's coming from:
Option 1: Use getmxrr to search for MX records on their hostname
Option 2: Use checkndsrr to check their DNS info
But all these really do is check the validity of the domain, and whether it's running a mailserver. To get real authenication a confirmation is the best way. You could also implement a tool to send out a test email, and see if it bounces back. But this method may not always work as expected, because of variations, some servers it's instant, others it can be a day later to return an undeliverable email.
I hope this helps.
consider having a checkbox so that people can opt-out of email notifications. if they do not enter a valid email address, it is surely because they do not want to receive emails in the first place, so let them tell you.
additionally, you may consider having an opt-in system, where people will not receive email notifications in the first place and have to enable it somewhere in their account settings, providing an email address at this moment. this way, the number of fake email addresses will be reduced to near zero.
Related
I'm working with a system which is setup to send all emails with PHPMailer through an info#company.com account. This is fine, and we use it to send emails from employees eg dave#company.com, mike#company.com etc. However I cannot use TLS with this. When I turn on TLS it rejects the email because the sending address is not the same as the account address, fair enough.
So I'm wondering the best way around this, best I can come up with so far is:
Make a mysql table of every employees username/password, use this to connect to the relevant employee account and send email through that. This would be a nightmare though, eg when users change their password I'd have to update this every time. No method I know of of retreiving passwords from Exchange through Powershell or anything.
Any better solutions? Thanks.
Whether your mail server allows this is up to the mail server, not you. You can work around it by using your own from address, but putting the target user's address as the reply-to address. That way your login will allow sending, you won't be forging from addresses, and replies will still go to them.
I have a website that is starting to grow but with that comes users who continue to signup and send SPAM messages to other members. I currently use google's captcha API service but if a user creates an account manually then it's of no use. My main problem is after a user creates a fake account they start sending duplicate messages so my thought here is to check with some PHP code for similarities in messages and deny them after x amount sent but I'm not sure how much of a load this puts on the server. Is there a way I can maybe grab the IP when they signup and ban that IP if they start spamming people. It's driving me nuts because I spend almost an hour a day now cleaning up SPAM and removing invalid users. Have others run into this and what measures have you taken?
There are various solutions but none of them work perfectly, It would be best to use a combination of solutions.
A few solutions:
Enforce a time limit for sending messages (1 message per 30 or 60 seconds)
Use the PHP function similar_text to check a new message against the last sent message and deny sending the message if the similarity is above a set percentage (I would guess above 70%)
Use CAPTCHA's if a user sends a lot of messages during a set time
Keep a list of IP adresses ($_SERVER['REMOTE_ADDR'] tells you which IP the user has) in your user database and keep a ban list which you then use to check against when a user registers to keep them from creating an account.
Give your users a report button which notifies you of spam
Automatically Temp-Ban a user when he/she is reported often
Also keep a ban list based on the email address of users (It takes more time for a spammer to create a new email address (only do this with confirmed email adresses as email adresses can be hijacked)
These are only some of the available options, just try to make the life of a spammer as hard as possible.
To get the IP of a user use
$_SERVER['REMOTE_ADDR'];
One step I've taken above and beyond is I've tapped into StopForumSpam's API to automatically block a user if their IP or email is found in their spammer database. Much smarter than a captcha.
I would recommend looking into a similar solution if you're getting hit a lot with spam.
The only one method used to develop my WAF was analyzing the traffic:
HTTP headers
request URL, method, protocol
POST data
GET parameters
COOKIES
Even it took years, the end product is a very sharp knife.
It should be connected to the linux firewall. I use Fail2ban.
I have written a script for my clients to generate a newsletter form, embed it on their website, collect email addresses and then email them using a php while and PHPMailer.
Currently, the script uses a "double opt in" which sends an email from "myclient#myclientsemail.com" to the subscriber to click on a confirm link that then goes to "http://myserver.com" to complete the confirmation process.
My question is,
the mail address they are receiving the confirm script from and the address they are confirming their email address with is different, will this be a problem?
In other words, does the spam filter add the confirm email "from address" to the friends list or the address of the link in the email?
The desired end result obviously being the "from address" (my clients address) being the one that will not be junked in future.
Thanks,
Anthony
My company does something similar. The double opt-in is something that you're doing on your end to ensure that you have valid results, not an email sent in by the user's enemy wanted to load up their account with spam. The theory goes that if someone is going to be malicious like that, they wouldn't have actual read access and time/means to respond to the second opt-in, making it about as fail proof as possible.
The spam filters don't know if you did an opt in at all, they just know what they see and who's doing the sending. So as long as you're sure the user you're getting approval from is the same one, you should be good to go. If you've properly configured headers, ensured list accuracy, aren't mail bombing (i.e. loading a host with thousands of messages in a short amount of time) and include content that's not "spammy" you'll be fine. Just remember, there's virtually no way to 100% guarantee delivery of an email thanks to overzealous IT guys and spam filters and the distributed nature of the web.
Note that being a new system, your host is not yet "trusted" so you'll have higher than average bounce stats likely. I'd recommend doing a "break" script when you send to ensure that emails are "trickling" out at first while you gain hosts trust. Even with well-established servers, my company's policy is no consecutive emails to a host will be delivered with less than 50 ms break in between, and it's worked well for us (we deliver 100k+ per day) And no matter what, include CAN-Spam items such as opt-out, physical address, and proper subject line...no exceptions.
I'm not sure if this is exactly possible, but figured I'd throw it out there.
I have a client that is getting some hate-mail from somebody he knows via a contact form on a website that I developed for him. Currently I do the normal checks for a validly-formatted email address, along with a Captcha, but the client has requested that a user enter his/her own email address in the form.
Now I realize that something like this could be easily spoofed by setting up a fake Yahoo account, etc, but the client's thinking is that this person is not quite that computer-literate.
Is there any possibility for checking if an email address is valid and in-use?
The only other things I can think of is turning his contact form into a mailto: link.
The only way to confirm an email address is in use is to send an email to it with a unique token, and have them pass the token back to you (usually by clicking a link). This is typically how mailing list signups work.
There are theoretical ways to tell in the SMTP protocol, but many (or maybe even most) servers don't respect those due to problems with spammers abusing them.
Although it may not work, I find Akismet ( http://akismet.com/ ) fairly good at blocking spam and unwanted emails in forms and comments.
If that fails and the problem is only one individual you can blacklist by IP, or even by browser fingerprint ( http://www.h-online.com/security/news/item/EFF-demonstrates-a-browser-s-finger-print-918786.html ) Ultimately it is impossible to stop someone though if they are dedicated.
Why not just not send this email if message contains some commonly used abuse word or abusers IP address?
is there any way to check if an email is active without sending it an email? (meaning that it does not get returned)
if i have 20,000 emails in my email list, and i do decide to send all of them an email, how can automatically cross out the email address that got returned?
Sending an email and requesting the user click some sort of activation link is the best way to determine if the email address is valid, and being used by someone. If you just want to see if the email is valid whether or not its registerd or active, use a Regex.
As for crossing them out, where are the emails stored? If its in a database, just set an activation key and a flag saying whether the link has been visited or not.
No.
Depends on how you are sending them. (Please provide more details)
There used to be a way to query a mail server if an email address is valid. However, since spammers used that facility for ill purposes, almost no mail servers will support that method anymore.
All you can hope to do is a DNS lookup on the email domain to see if the domain is valid.
These days, you can't know if the email address is valid. The domain is about as far as you'll get and you can do a reverse lookup on that to see if that is valid. But it won't tell you about the user.
What you need is something to process the bounces from your mail out and write some sort of script to perhaps update the list. There are many tools under Linux for this type of purpose such as procmail. Theres a port of that for windows I think.
No
You need mailing list management software. Lyris Listmanager is a paid one that has automatic bounce handling and removes users from your list. There are several free ones that doe the same thing: ezmlm, mailman, majordomo and many others. You probably don't want to just send all those emails without a piece of MLM software to manage it. you will probalby get blacklisted fromservers. You need things like unsubscribe handling or you won't be sending emails for long.
Heh. if you could find out a way, the answer would be worth billions to spammers.
The best answer here is: No.