views:

251

answers:

4

I'm trying to write a heavily email-based application in the Python SDK of Google App Engine. I've noticed that Google allows you to receive email via its API, and that it easily gives you access to the standard fields like From, To, Body, etc. However, if I'm trying to verify that an email address came from who it said it came from (kind of in the way that Posterous does it for you), how can I? I don't have access to any of the email headers, so I can't check the MX record of the sending server's IP address or anything fancy like that.

Any ideas?

+1  A: 

If this is part of a registration process or alike, then why don't you send back a "challenge" (e.g. URL to go for continuing registration or whatever, with a unique & time-bound key) to the (supposedly) originator? This way you can verify if the email address isn't forged.

The "big guys" (e.g. Google) use this process a lot, there must be a reason.

Disregard my suggestion if that doesn't fit your use-case.


Updated: you could have the emails transit through another Web Service (To be determined) before reaching your GAE application? This way, you could still leverage GAE whilst having a low processing overhead job such as email verification done someplace else?

jldupont
Thanks, @jldupont, that does make sense. However, the problem is that it's not only for registration but also for continued use. For example, Posterous, which allows you to do blog posts by email, has to have *someway* to verify every time you time you send them an email that it's actually you, and not some PHP script that manipulated the headers. That's the problem I'm trying to solve.
daveslab
@daveslab: I see. Can't you mandate the users of your system to append a unique token (somewhere) to each email? Granted you could have man-in-the-middle attacks but this could be a way, no?
jldupont
@jldupont Yes, absolutely, but from a usability standpoint that absolutely sucks. Even I give them a relatively memorable phrase like "Money Cape" and make the requirement that it has to sit somewhere in the email, the person still has to go through the trouble of remembering it. Any security measure that whose value isn't immediately apparent to the user will make it seem like an unnecessary road block in their mind.
daveslab
@daveslab: I read you loud and clear. Then I can offer an update to my original answer.
jldupont
A: 

E-mail isn't generally a verifyable medium, unless you sign it with PGP or S/MIME. If you don't have headers, you haven't got anything to verify.

The only thing you can do is e-mail the address and ask the person to confirm that they really sent the message. That's a lot harder for the fraudulent e-mail sender to fake (but not impossible).

Or you could possibly ask the user to put a password in every message.

rjmunro
Yes, true @rjmunro. Thanks for the input, I considered this above in the comments and didn't do for the reasons mentioned above.
daveslab
+2  A: 

Actually, while not well documented, the sources here suggest that the original mime message from which the handy objects you get are shaped is available as the .original property of the handy object -- that's an instance of email.message.Message, so you should be able to get email headers from there. I'm not sure that takes you much further in your quest for validation, though.

Alex Martelli
Interesting, nice call on searching the source.
daveslab
@daveslab, tx -- I do love it that the GAE SDK is open-sourced, so I can compensate a bit for the sometimes-scarce docs (at least for what happens at app level, which is a lot -- what's behind the RPC calls [[in production runs, as opposed to SDK runs which use open sourced simulation mechanisms]] had better be documented well;-).
Alex Martelli
To be honest, I didn't know it was open sourced. Should be a good style guide for Python amateurs like myself.
daveslab
You don't even need to use webapp's mail handlers; what's actually posted to your email URL is the original message and you can handle it however you want.
Wooble
A: 

Alex is right about accessing the headers, but this doesn't allow you to verify the actual sender of the email: anyone can send an email with any 'from' address they wish, so don't rely on the from address as authoritative proof of who sent it.

Nick Johnson