Menu
I'm using mail() to send simple mails. For convenience, i'm using a header to set a "from" address. I wonder, I can put whichever address there and pretend to be anyone; I tried just towards myself for curiosity and actually it works! Is this normal? It's the correct way to use the mail function? and is there any way to recognize the identity of the sender of these mails?
EDIT: I sent a mail to my self using my gmail address as "from" in the header of mail(). I received the message with these headers:
…
Received: from smarty.dreamhost.com (smarty.dreamhost.com [208.113.175.8]) by mx.google.com with ESMTP id w21si2197938ybh.68.2010.10.19.19.33.30; Tue, 19 Oct 2010 19:33:30 -0700 (PDT)
Received: from nationals.dreamhost.com (nationals.dreamhost.com [69.163.165.6]) by smarty.dreamhost.com (Postfix) with ESMTP id EB56D6E804A for <[email protected]>; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)
Received: by nationals.dreamhost.com (Postfix, from userid 3598506) id E4BB635C83F; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)
Return-Path: <[email protected]>
Received-Spf: pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) client-ip=208.113.175.8;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) [email protected]
What happened? I can't interpretate headers, but look like google accepted the fake address!
612
PHP Mail Introduction The mail() function allows you to send emails directly from a script.
This is perfectly secure; there is no way a hacker could manipulate who the E-mail gets sent to; PHP is server-side code. Thus, $email_to = "[email protected]"; cannot get manipulated from the form itself, as it is hard-coded into your PHP.
PHP makes use of mail() function to send an email. This function requires three mandatory arguments that specify the recipient's email address, the subject of the the message and the actual message additionally there are other two optional parameters. mail( to, subject, message, headers, parameters );
to check if it is sending mail as intended; <? php $email = "[email protected]"; $subject = "Email Test"; $message = "this is a mail testing email function on server"; $sendMail = mail($email, $subject, $message); if($sendMail) { echo "Email Sent Successfully"; } else { echo "Mail Failed"; } ?>
Welcome to SMTP.
It has always been the case that you can put any From address on an email that you choose, much like you can put any return address on a physical letter that you choose.
To extend the metaphor, the only way to verify that a letter was mailed by a given individual is to look at other details such as the postmark; likewise, the only REAL clue about who sent an email is the additional headers added by mail servers along the way that identify which server touched the message last.
The moral of the story: never trust a From address; security was never an intended feature of the email system. As Vint Cerf recently said about our existing Internet protocols: "We never intended for this stuff to get out."
111
Yes, the from header is just a header, anyone can claim to be anyone using email. However most mail servers will consider as spam anything where the IP address of the sending server doesn't match the DNS MX-Record for the from email address
36
Yes, this is possible. You are much more likely to have your server's IP blacklisted and your mail marked as spam if your sending emails from domains that do not resolve to the ip the email is being sent from.
I had a lot of fun with an april fools joke this way one time...
just don't do it often or you risk blacklisting. I'm not sure about tracing it back but it should be doable i think.
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
