Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

security and mail() function in php

I'm using mail() to send simple mails. For convenience, i'm using a header to set a "from" address. I wonder, I can put whichever address there and pretend to be anyone; I tried just towards myself for curiosity and actually it works! Is this normal? It's the correct way to use the mail function? and is there any way to recognize the identity of the sender of these mails?

EDIT: I sent a mail to my self using my gmail address as "from" in the header of mail(). I received the message with these headers:

…

Received: from smarty.dreamhost.com (smarty.dreamhost.com [208.113.175.8]) by mx.google.com with ESMTP id w21si2197938ybh.68.2010.10.19.19.33.30; Tue, 19 Oct 2010 19:33:30 -0700 (PDT)

Received: from nationals.dreamhost.com (nationals.dreamhost.com [69.163.165.6]) by smarty.dreamhost.com (Postfix) with ESMTP id EB56D6E804A for <[email protected]>; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)

Received: by nationals.dreamhost.com (Postfix, from userid 3598506) id E4BB635C83F; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)

Return-Path: <[email protected]>

Received-Spf: pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) client-ip=208.113.175.8;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) [email protected]     



What happened? I can't interpretate headers, but look like google accepted the fake address!

like image 612
Bakaburg Avatar asked Oct 20 '10 02:10

Bakaburg


People also ask

What is the mail () function in PHP?

PHP Mail Introduction The mail() function allows you to send emails directly from a script.

Is PHP mail () secure?

This is perfectly secure; there is no way a hacker could manipulate who the E-mail gets sent to; PHP is server-side code. Thus, $email_to = "[email protected]"; cannot get manipulated from the form itself, as it is hard-coded into your PHP.

What is the syntax of mail () function?

PHP makes use of mail() function to send an email. This function requires three mandatory arguments that specify the recipient's email address, the subject of the the message and the actual message additionally there are other two optional parameters. mail( to, subject, message, headers, parameters );

How do you check PHP mail () is working?

to check if it is sending mail as intended; <? php $email = "[email protected]"; $subject = "Email Test"; $message = "this is a mail testing email function on server"; $sendMail = mail($email, $subject, $message); if($sendMail) { echo "Email Sent Successfully"; } else { echo "Mail Failed"; } ?>


3 Answers

Welcome to SMTP.

It has always been the case that you can put any From address on an email that you choose, much like you can put any return address on a physical letter that you choose.

To extend the metaphor, the only way to verify that a letter was mailed by a given individual is to look at other details such as the postmark; likewise, the only REAL clue about who sent an email is the additional headers added by mail servers along the way that identify which server touched the message last.

The moral of the story: never trust a From address; security was never an intended feature of the email system. As Vint Cerf recently said about our existing Internet protocols: "We never intended for this stuff to get out."

like image 111
tylerl Avatar answered Sep 22 '22 10:09

tylerl


Yes, the from header is just a header, anyone can claim to be anyone using email. However most mail servers will consider as spam anything where the IP address of the sending server doesn't match the DNS MX-Record for the from email address

like image 36
tobyodavies Avatar answered Sep 19 '22 10:09

tobyodavies


Yes, this is possible. You are much more likely to have your server's IP blacklisted and your mail marked as spam if your sending emails from domains that do not resolve to the ip the email is being sent from.

I had a lot of fun with an april fools joke this way one time...

just don't do it often or you risk blacklisting. I'm not sure about tracing it back but it should be doable i think.

like image 27
Andy Groff Avatar answered Sep 20 '22 10:09

Andy Groff