tags:

views:

56

answers:

3
+3  Q: 

How to verify mail origin?

I wish to code a little service where I will be able to send an e-mail to a specific address used by my server to send specific commands to my server.

I'll check against a list of permitted e-mail addresses to make sure no one unauthorized will send a command to the server, but how do I make sure that, say, an e-mail sent by "[email protected]" really comes from "thezombie.net"?

I thought about checking the header for the original e-mail server's IP and pinging the domain to make sure it is the same, but would that be reliable?

Example:

Server receives a command from [email protected] [email protected] is authorized, proceed with checks Server checks "thezombie.net"'s IP from the header: W.X.Y.Z Server pings "thezombie.net" for it's IP: A.B.C.D The IPs do not correspond, do not process command

Is there any better way to do that?

+2  A: 

If you can solve this for generic e-mails, you solved the problem of SPAM.

Given that the mail headers are free form text in which anyone can claim anything, you can't do any sort of authorization nor authentication based on the mail headers. Your best bet is to authenticate the content, and there are protocols for that like S/MIME or PGP. They rely on cryptography for authentication and your server will be able to verify that the content is signed by a certificate you trust. But you'll move the burden on the mail sender that will have to send a properly signed message. Most mail readers though support adding digital signatures to content.

Remus Rusanu  2010-04-08 19:49:17
Yeah, it kinda kills the purpose of the program, which is to provide a simple way to send commands to my server via e-mail when, say, on the road, using a cellphone (provided that the server also sends notifications via e-mail to my phone, which is the easy part).
MrZombie  2010-04-08 23:04:52
A: 

You can use SPF to verify that a given IP is/is not authorized to send email on behalf of a particular domain (assuming that domain implements SPF, of course), but that only gets you so far. For example, it may not prevent another user at the source domain from impersonating the authorized user.

Authenticating the content with a digital signature is really the best way to go.

David Gelhar  2010-04-08 19:52:53
+1  A: 

but how do I make sure that, say, an e-mail sent by "[email protected]" really comes from "thezombie.net"?

You also may want to look at Sender Policy Framework, as it is at least in part trying to provide a means of verifying that email was sent from authorized domain servers.

Also, serverfault.com may have some helpful answers for you since it is a networking- and server-related question.

JYelton  2010-04-08 19:53:23

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security