tags:

views:

251

answers:

4
+2  Q: 

How to verify sender of incoming email address in Google App Engine?

I'm trying to write a heavily email-based application in the Python SDK of Google App Engine. I've noticed that Google allows you to receive email via its API, and that it easily gives you access to the standard fields like From, To, Body, etc. However, if I'm trying to verify that an email address came from who it said it came from (kind of in the way that Posterous does it for you), how can I? I don't have access to any of the email headers, so I can't check the MX record of the sending server's IP address or anything fancy like that.

Any ideas?

+1  A: 

If this is part of a registration process or alike, then why don't you send back a "challenge" (e.g. URL to go for continuing registration or whatever, with a unique & time-bound key) to the (supposedly) originator? This way you can verify if the email address isn't forged.

The "big guys" (e.g. Google) use this process a lot, there must be a reason.

Disregard my suggestion if that doesn't fit your use-case.

Updated: you could have the emails transit through another Web Service (To be determined) before reaching your GAE application? This way, you could still leverage GAE whilst having a low processing overhead job such as email verification done someplace else?

jldupont  2009-12-03 16:01:36
Thanks, @jldupont, that does make sense. However, the problem is that it's not only for registration but also for continued use. For example, Posterous, which allows you to do blog posts by email, has to have *someway* to verify every time you time you send them an email that it's actually you, and not some PHP script that manipulated the headers. That's the problem I'm trying to solve.
daveslab  2009-12-03 16:05:44
@daveslab: I see. Can't you mandate the users of your system to append a unique token (somewhere) to each email? Granted you could have man-in-the-middle attacks but this could be a way, no?
jldupont  2009-12-03 16:10:40
@jldupont Yes, absolutely, but from a usability standpoint that absolutely sucks. Even I give them a relatively memorable phrase like "Money Cape" and make the requirement that it has to sit somewhere in the email, the person still has to go through the trouble of remembering it. Any security measure that whose value isn't immediately apparent to the user will make it seem like an unnecessary road block in their mind.
daveslab  2009-12-03 16:14:32
@daveslab: I read you loud and clear. Then I can offer an update to my original answer.
jldupont  2009-12-03 16:17:01
A: 

E-mail isn't generally a verifyable medium, unless you sign it with PGP or S/MIME. If you don't have headers, you haven't got anything to verify.

The only thing you can do is e-mail the address and ask the person to confirm that they really sent the message. That's a lot harder for the fraudulent e-mail sender to fake (but not impossible).

Or you could possibly ask the user to put a password in every message.

rjmunro  2009-12-03 16:05:44
Yes, true @rjmunro. Thanks for the input, I considered this above in the comments and didn't do for the reasons mentioned above.
daveslab  2009-12-03 16:44:50
+2  A: 

Actually, while not well documented, the sources here suggest that the original mime message from which the handy objects you get are shaped is available as the .original property of the handy object -- that's an instance of email.message.Message, so you should be able to get email headers from there. I'm not sure that takes you much further in your quest for validation, though.

Alex Martelli  2009-12-03 16:18:28
Interesting, nice call on searching the source.
daveslab  2009-12-03 16:27:30
@daveslab, tx -- I do love it that the GAE SDK is open-sourced, so I can compensate a bit for the sometimes-scarce docs (at least for what happens at app level, which is a lot -- what's behind the RPC calls [[in production runs, as opposed to SDK runs which use open sourced simulation mechanisms]] had better be documented well;-).
Alex Martelli  2009-12-03 16:33:54
To be honest, I didn't know it was open sourced. Should be a good style guide for Python amateurs like myself.
daveslab  2009-12-03 16:45:39
You don't even need to use webapp's mail handlers; what's actually posted to your email URL is the original message and you can handle it however you want.
Wooble  2009-12-05 22:24:24
A: 

Alex is right about accessing the headers, but this doesn't allow you to verify the actual sender of the email: anyone can send an email with any 'from' address they wish, so don't rely on the from address as authoritative proof of who sent it.

Nick Johnson  2009-12-04 14:42:23

related questions

Programmatically talking to a Serial Port in OS X or Linux
Best ways to teach a beginner to program?
Calling a Function From a String With the Function's Name in Python
An executable Python app
Text Editor For Linux (Besides Vi)?
What Hosting Service is best for Django applications?
File size differences after copying a file to a server vía FTP
Python: what is the difference between (1,2,3) and [1,2,3], and when should I use each?
Python: What OS am I running on?
How do I make a menu in python that does not require the user to press (enter) to make a selection?
How do you express binary literals in Python?
What is the most efficient graph data structure in Python?
Adding a Method to an Existing Object
How to learn Python: Good Example Code?
How do I use Python's itertools.groupby()?
Python and MySQL
Class views in Django
Is there an IDE that provides code completion for Python
Using 'in' to match an attribute of Python objects in an array
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Continuous Integration System for a Python Codebase
Get a preview jpeg of a pdf on windows?
How can I find the full path to a font from its display name on a Mac?
XML Processing in Python