tags:

views:

110

answers:

4

I have a website, example.com hosted at godaddy. I was just messing around with PHP's mail function and uploaded the following to my website at example.com:

mail( "[email protected]", "test", "test message", "From: [email protected]" );

Why does this work? I mean, it shouldn't, right? The "From" address domain isn't "@example.com". Yet, when I check my email at [email protected], I get the message from [email protected]... How is it that I'm able to (potentially) send an email from anyone's email account without their password?

+3  A: 

This is possible, as in, you can put into the E-Mail headers whatever you want, including a totally arbitrary sender address. You are right, though, security-conscious providers will usually configure their outgoing mail services in a way that allows only sender addresses residing on the server the mail gets sent from; but they don't have to.

Also, on the receiving end, messages where the sender address belongs to a domain that is not associated with the sending mail server very often end up in the Spam folder.

It's (as you already know) very bad practice to make use of this. As to whether the provider is at fault - it could be anything from a sign of trust (if you are the only user on the server, or one of select few clients) to carelessness. You may have reason to complain because if one of your web hosting neighbours misuses this to send spam, the server's IP address might get blacklisted, causing any E-Mail coming from it (legit or not) to get caught in spam filters.

Pekka
so, you're saying it's the hosting company's fault that this happens, or will this happen on any host?
ginius
@user well, often, the outgoing server will be configured so this can't be done. It's by no means mandatory, though. E-Mail is a pretty open system, and you can't entirely trust the sender info for exactly this reason.
Pekka
@user see also the explanation to `additional_parameters` in the mail() docs: http://www.php.net/manual/en/function.mail.php
Pekka
@user374436 what Pekka is saying is that email provides no form of authentication. I can send email from your email address just fine. It's not valid, but it might work. think of it like mailing a letter. You can put anyone's address in the return address area of the letter. It's illegal to put someone else's address but there's nothing physically stopping you from doing so.
Josh
Very well put @Josh.
Pekka
+1  A: 

it's because of email format specification. have a look at the email's header specification, you might refer to the http://en.wikipedia.org/wiki/Email#Header_fields

that is the reason why one should never trust the "from" information once you receive an email.

migajek
A: 

Whether you should be able to do this is basically a matter of who you ask. The email RFC states that you should. Best practice for hosting and ISP says you shouldn't.

So seen from PHP point of view. Yes you should

Edit: And btw you're not sending the mail from somebody's account your simply stating that you email is something differrent from what's actually true. Which is basically the same as introducing yourself to a stranger as, let's say "Bill Clinton". If the receiver is paying attention they'll know it's wrong. In the real world because you don't look like him and in the email world you can simply test if the sending server is allowed to rely from that specific domain.

Rune FS
What, you *should* be able to specify a sender address that does not reside on the sending server's domain? I'd say not really. It's an open invitation for spamming.
Pekka
I agree with you but that doesn't change the specifications I'm affraid
Rune FS
A: 

This is why systems like Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) have been introduced.

SPF allows admins to define where email for a particular domain is supposed to originate. In your example, and assuming that SPF records were set up, the records would show that the Go Daddy host from which the mail was sent was not an authorised sender for the gmail.com domain. A (Yahoo) mail server that receives that mail and does SPF validation would probably reject the mail.

DKIM uses digital signatures to allow a sending mail server to show that an email came from the domain it says it came from. In your example, you wouldn't be able to sign your email and make it look like it really came from Gmail, because you don't have their key.

Both these systems require proper SPF/DKIM records to be set up, and also require that the mail server that handles the email for its recipient actually performs the validation.

So don't worry: this problem is being worked on :-)

Richard Fearn