I have a list of email addresses, which I tested that they are invalid, not exists. But my mail server still keep trying to send email to them.
Is there any way to stop sending email to the non-exists, invalid email addresses?
I am using php though..
I'm not sure exactly what you are asking. If you want a way to validate email addresses before sending, I'm afraid you're going to be disappointed. It's essentially impossible to define a valid email address - even if you go to extreme lengths to pattern match email address syntax and keep up to date on all the valid top-level domain names, you still haven't accounted for email address which are in a valid format but do not have a mailbox assigned to them (or even are just not monitored).
If you're looking for how to remove bouncing-but-retrying emails from your mail servers queue, you should specify what mailserver you are using.
If you want to know more about the PHP mail command, as per Chell's answer, the documentation is a good place to start
Related
a client asked me about a little form for his website, from which it would be possible to mail the URL to someone. Something like "Hey check this out".
Since he was not happy with mailto:, I want to use PHP mail() function, but i wonder if it is smart to let users define a sender of the email. I am worried about the form being abused for spam/phishing.
Is that a reason to worry? Is it even legal?
It's legal to send e-mail. It's not legal (everywhere) to send spam. But you are just providing a share link, not a relay server, so I wouldn't worry about that. If you limit the amount of control over the content of the message, and limit the number of people to send it to, it won't be too interesting for spammers.
Letting the user choose a sender is not a very good idea. Some mail relay servers check if the originating server is allowed to send e-mails for the domain specified in the address, so the mails might never arrive. You can safely set the sender name, though.
Apart from that, if the receivers of the message consider it as spam and report it, your domain might become blacklisted, and your mails will be sent to junk mail in many cases, so you want to make sure no (or little) spam is sent through your form.
Those bots try every form automatically just to see what happens, so you'll need to make some effort. You could add a captcha, which is an obstacle for humans too, although Google is going to put an end to that. Or you could protect it through other means, like a honeypot. Maybe you can just generate the form through JavaScript, which is a big obstacle for most spam bots.
Setting the From on an email in php mail isn't the cause for concern. The problem is that you'll be sending emails from your server. The mail headers will have your server information embedded - so any issues will tie back to you.
As long as you can safeguard your own server from allowing these spam/phishing attacks, then there's nothing wrong with it.
Just limit the number of people this mail function can send to - and make sure it can't be called multiple times in succession -- like with a script.
This way, the spammers wouldn't benefit from using your page to try to send spam. They'll go elsewhere.
There's much more to do to work with sending email, but this will at least get you started.
"Is it legal" depends upon the country you are in.
I don't think you need to worry about spam if you set up a login.
Or you could limit the number of emails by IP address. This can be spoofed, however, so it may not be the best option.
There are other control options you could do; limit number of emails by User Agent/IP combination, etc.
Aside from the reasons pointed out by others who have answered this question, I would advise against doing this because these messages will likely be marked as spam by spam filters, due to SPF and DMARC records.
For example, is someone sends a message through your system from a yahoo.com address, most spam filters will treat the message as spam, because os Yahoo's DMARC record, which basically says, 'any message sent from a yahoo.com email address that did not originate from a mail server on yahoo's network is spam'. See https://help.yahoo.com/kb/mail/SLN24016.html?impressions=true for more info.
I need to create a system that will pipe incoming emails to a PHP script, then get rid of the email. Technically, I don't want these email addresses to actually exist. I would want to validate the email address by checking a database. So if I have a database with say 100 email addresses (i.e. 2323#mydomain.com), the PHP script would parse the email, store the contents in a database for later use, and then discard the email.
I piped emails to a PHP script in the past and parsed the email. However, my understanding of this requires the email address to exist.
I figure a catch-all account would be a bad idea, as SPAM could account for the majority of incoming emails, which I have no use for.
I could create the emails dynamically perhaps, if that is even possible with PHP, but again, I don't actually need to store the incoming email. Eventually the server would get bogged down with emails that I have no use for, especially since the contents would be stored in a database.
There will be no manual management of the incoming emails. Everything would be automated. While I'm sure I could use the PHP imap extension to delete emails say every 30 days, this seems unnecessary.
Any suggestions on the best setup for this?
Automation of email address creation or wildcard catch
Parsing of email, storing and discarding
Please have a look at a GitHub Project PHPMailer and the documentation is available here.
You can also try sendgrip, another good SMTP mailer for PHP.
These projects do not have a direct functions to delete e-mails, however, you will have to bake your own code extending some of the classes. Good Luck!
See http://harrybailey.com/2009/02/send-or-pipe-an-email-to-a-php-script/ for an excellent article that explains how to pipe incoming mail to a PHP script. You should be able to configure your MTA with a wildcard on your domain (so that it accepts mail to anyaddress#yourdomain.tld) and forward each incoming message to your PHP script. Your PHP script can then pickup the sender, recipient, subject, etc., query your database, and process the message accordingly.
I have seen on some sites where the user can simply send a blank e-mail to something like verify#domain.com to have their e-mail verified if they are having trouble getting the verification e-mail. I have a website with PHP/MySQL that I'd like to implement this same functionality, but I haven't done much with e-mail besides sending it so I don't even know where to start to set something like this up.
Basically if your mailbox is an IMAP you could reference these functions via PHP http://www.php.net/manual/en/ref.imap.php (if enabled, check your phpinfo()) and read that specific mailbox (http://www.php.net/manual/en/function.imap-open.php).
Run a cronjob every 10 minutes maybe (I say 10minutes as I dont see many people doing this), loop thru all the emails (if any), run your logic to verify that email account, send them an email to say its been verified, then delete that email item from your account so you are not creating a massive backlog of emails.
Its risky way of wanting someone to verify but this is probably one way of doing it.
If your host allows you to, you can pipe received email to a program (in your case, a PHP script), which could then parse the message and decide what to do.
However, I agree that this isn't very secure. It would be very easy to spoof the sender, unless you implement DomainKey checking or DNS lookups.
Alright, this may take a moment or two to explain:
I'm working on creating an Email<>SMS Bridge (like Teleflip). I have a few set parameters to work in:
Dreamhost Webhosting
PHP 5 (without PEAR)
Postfix
MySQL (If Needed)
What I have right now, is a catch-all email address that forwards the email sent to a shell account. The shell account in turn forwards it to my PHP script.
The PHP script reads it, strips a few Email Headers in an effort to make sure it sends properly, then forwards it to the number specified as the recipient. 5551234567#sms.bridge.gvoms.com of course sends an SMS to +1 (555) 123-4567.
This works really well, as I am parsing the To field and grabbing just the email address it is sending to. However, what I realized that I did not account for is multiple recipients. For example, an email sent to both 5551234567 and 1235554567 (using the To line, the CC line, or any combination of those).
The way email works of course, is I get two emails received, end up parsing each of them separately, and 5551234567 ends up getting the same message twice.
What is the best way to handle this situation, so that each number specified in TO and CC can get one copy of the message.
In addition, though I doubt its possible: Is there a way to handle BCC the same way?
If you check the headers of the mail, you should find a Message-ID field (according to RFC2822 - section 3.6.4). So you could test if you have already sent an SMS for a mail with the same Message-ID & phone number to prevent sending the same message to the same number twice.
Why not use something like imap to check the catch-all mailbox, loop through the messages and then delete them once finished? That way you don't need to forward them to a seperate account.
Stupid dirty solution: parse all recipients from the mail, then send them SMS, then put em all into temporary table with md5 of message text. And check all incoming mails against this table.
Although wimvds had the best answer here, I found out elsewhere that Dreamhost includes a "X-DH-Original-To" header in the way I'm running it through the system. Using this, I'm able to send to each number individually upon receipt of the email without checking it against a database. This should also work with Blind Carbon Copy (I don't know the specifics of how email works enough to tell you how that works).
I have come across this PHP code to check email address using SMTP without sending an email.
Has anyone tried anything similar or does it work for you? Can you tell if an email customer / user enters is correct & exists?
There are two methods you can sometimes use to determine if a recipient actually exists:
You can connect to the server, and issue a VRFY command. Very few servers support this command, but it is intended for exactly this. If the server responds with a 2.0.0 DSN, the user exists.
VRFY user
You can issue a RCPT, and see if the mail is rejected.
MAIL FROM:<>
RCPT TO:<user#domain>
If the user doesn't exist, you'll get a 5.1.1 DSN. However, just because the email is not rejected, does not mean the user exists. Some server will silently discard requests like this to prevent enumeration of their users. Other servers cannot verify the user and have to accept the message regardless.
There is also an antispam technique called greylisting, which will cause the server to reject the address initially, expecting a real SMTP server would attempt a re-delivery some time later. This will mess up attempts to validate the address.
Honestly, if you're attempting to validate an address the best approach is to use a simple regex to block obviously invalid addresses, and then send an actual email with a link back to your system that will validate the email was received. This also ensures that they user entered their actual email, not a slight typo that happens to belong to somebody else.
Other answers here discuss the various problems with trying to do this. I thought I'd show how you might try this in case you wanted to learn by doing it yourself.
You can connect to an mail server via telnet to ask whether an email address exists. Here's an example of testing an email address for stackoverflow.com:
C:\>nslookup -q=mx stackoverflow.com
Non-authoritative answer:
stackoverflow.com MX preference = 40, mail exchanger = STACKOVERFLOW.COM.S9B2.PSMTP.com
stackoverflow.com MX preference = 10, mail exchanger = STACKOVERFLOW.COM.S9A1.PSMTP.com
stackoverflow.com MX preference = 20, mail exchanger = STACKOVERFLOW.COM.S9A2.PSMTP.com
stackoverflow.com MX preference = 30, mail exchanger = STACKOVERFLOW.COM.S9B1.PSMTP.com
C:\>telnet STACKOVERFLOW.COM.S9A1.PSMTP.com 25
220 Postini ESMTP 213 y6_35_0c4 ready. CA Business and Professions Code Section 17538.45 forbids use of this system for unsolicited electronic mail advertisements.
helo hi
250 Postini says hello back
mail from: <me#myhost.com>
250 Ok
rcpt to: <fake#stackoverflow.com>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 w41si3198459wfd.71
Lines prefixed with numeric codes are responses from the SMTP server. I added some blank lines to make it more readable.
Many mail servers will not return this information as a means to prevent against email address harvesting by spammers, so you cannot rely on this technique. However you may have some success at cleaning out some obviously bad email addresses by detecting invalid mail servers, or having recipient addresses rejected as above.
Note too that mail servers may blacklist you if you make too many requests of them.
In PHP I believe you can use fsockopen, fwrite and fread to perform the above steps programmatically:
$smtp_server = fsockopen("STACKOVERFLOW.COM.S9A1.PSMTP.com", 25, $errno, $errstr, 30);
fwrite($smtp_server, "helo hi\r\n");
fwrite($smtp_server, "mail from: <me#myhost.com>\r\n");
fwrite($smtp_server, "rcpt to: <fake#stackoverflow.com>\r\n");
The general answer is that you can not check if an email address exists event if you send an email to it: it could just go into a black hole.
That being said the method described there is quite effective. It is used in production code in ZoneCheck except that it uses RSET instead of QUIT.
Where user interaction with his mailbox is not overcostly many sites actually test that the mail arrive somewhere by sending a secret number that must be sent back to the emitter (either by going to a secret URL or sending back this secret number by email). Most mailing lists work like that.
This will fail (amongst other cases) when the target mailserver uses greylisting.
Greylisting: SMTP server refuses delivery the first time a previously unknown client connects, allows next time(s); this keeps some percentage of spambots out, while allowing legitimate use - as it is expected that a legitimate mail sender will retry, which is what normal mail transfer agents will do.
However, if your code only checks on the server once, a server with greylisting will deny delivery (as your client is connecting for the first time); unless you check again in a little while, you may be incorrectly rejecting valid e-mail addresses.
I can confirm Joseph's and Drew's answers to use RCPT TO: <address_to_check>. I would like to add some little addenda on top of those answers.
Catch-all providers
Some mail providers implement a catch-all policy, meaning that *#mydomain.com will return positive to the RCPT TO: command. But this doesn't necessarily mean that the mailbox "exists", as in "belongs to a human". Nothing much can be done here, just be aware.
IP Greylisting/Blacklisting
Greylisting: 1st connection from unknown IP is blocked. Solution: retry at least 2 times.
Blacklisting: if you send too many requests from the same IP, this IP is blocked. Solution: use IP rotation.
HTTP requests on sign-up forms
This is very provider-specific, but you sometimes can use well-crafted HTTP requests, and parse the responses of these requests to see if a username already signed up or not with this provider.
Here is the relevant function from an open-source library I wrote to check *#yahoo.com addresses using HTTP requests: check-if-email-exists. I know my code is Rust and this thread is tagged PHP, but the same ideas apply.
Full Inbox
This might be an edge case, but when the user has a full inbox, RCTP TO: will return a 5.1.1 DSN error message saying it's full. This means that the account actually exists!
Disclosure
I run [Reacher][1], a real-time email verification API. My code is written in Rust, and is 100% open-source. Check it out if you want a more robust solution:
Github: https://github.com/reacherhq/check-if-email-exists
With a combination of various techniques to jump through hoops, I manage to verify around 80% of the emails my customers check.
Not really.....Some server may not check the "rcpt to:"
http://www.freesoft.org/CIE/RFC/1123/92.htm
Doing so is security risk.....
If the server do, you can write a bot to discovery every address on the server....
Some issues:
I'm sure some SMTP servers will let you know immediately if an address you give them does not exist, but some won't as a privacy measure. They'll just accept whatever addresses you give them and silently ignore the ones that don't exist.
As the article says, if you do this too often with some servers, they will blacklist you.
For some SMTP servers (like gmail), you need to use SSL in order to do anything. This is only true when using gmail's SMTP server to send email.
About all you can do is search DNS and ensure the domain that is in the email address has an MX record, other than that there is no reliable way of dealing with this.
Some servers may work with the rcpt-to method where you talk to the SMTP server, but it depends entirely on the configuration of the server. Another issue may be an overloaded server may return a 550 code saying user is unknown, but this is a temporary error, there is a permanent error (451 i think?) that can be returned. This depends entirely on the configuration of the server.
I personally would check for the DNS MX record, then send an email verification if the MX record exists.
function EmailValidation($email)
{
$email = htmlspecialchars(stripslashes(strip_tags($email))); //parse unnecessary characters to prevent exploits
if (eregi('[a-z||0-9]#[a-z||0-9].[a-z]', $email)) {
//checks to make sure the email address is in a valid format
$domain = explode( "#", $email ); //get the domain name
if (#fsockopen ($domain[1],80,$errno,$errstr,3)) {
//if the connection can be established, the email address is probably valid
echo "Domain Name is valid ";
return true;
} else {
echo "Con not a email domian";
return false; //if a connection cannot be established return false
}
return false; //if email address is an invalid format return false
}
}
Although this question is a bit old, this service tip might help users searching for a similar solution checking email addresses beyond syntax validation prior to sending.
I have been using this open sourced service for a more in depth validating of emails (checking for mx records on the e-mail address domain etc.) for a few projects with good results. It also checks for common typos witch is quite useful. Demo here.
"Can you tell if an email customer / user enters is correct & exists?"
Actually these are two separate things. It might exist but might not be correct.
Sometimes you have to take the user inputs at the face value. There are many ways to defeat the system otherwise.
Assuming it's the user's address, some mail servers do allow the SMTP VRFY command to actually verify the email address against its mailboxes. Most of the major site won't give you much information; the gmail response is "if you try to mail it, we'll try to deliver it" or something clever like that.
I think you cannot, there are so many scenarios where even sending an e-mail can fail. Eg. mail server on the user side is temporarily down, mailbox exists but is full so message cannot be delivered, etc.
That's probably why so many sites validate a registration after the user confirmed they have received the confirmation e-mail.
You have many simple online tools like https://mail7.net
This service check the email address format, then make sure the domain name is valid and extracts the MX records.
So in 90% you can be sure if it valid. 90% because some mail servers are not involved in the process.
<?php
$email = "someone#exa mple.com";
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
echo "E-mail is not valid";
else
echo "E-mail is valid";
?>