security and mail() function in php

Question

Hi, I'm using mail() to send simple mails. For convenience, i'm using a header to set a "from" address. I wonder, I can put whichever address there and pretend to be anyone; I tried just towards myself for curiosity and actually it works! Is this normal? It's the correct way to use the mail function? and is there any way to recognize the identity of the sender of these mails?

EDIT: I sent a mail to my self using my gmail address as "from" in the header of mail(). I received the message with these headers:

…

Received: from smarty.dreamhost.com (smarty.dreamhost.com [208.113.175.8]) by mx.google.com with ESMTP id w21si2197938ybh.68.2010.10.19.19.33.30; Tue, 19 Oct 2010 19:33:30 -0700 (PDT)

Received: from nationals.dreamhost.com (nationals.dreamhost.com [69.163.165.6]) by smarty.dreamhost.com (Postfix) with ESMTP id EB56D6E804A for <[email protected]>; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)

Received: by nationals.dreamhost.com (Postfix, from userid 3598506) id E4BB635C83F; Tue, 19 Oct 2010 19:33:29 -0700 (PDT)

Return-Path: <[email protected]>

Received-Spf: pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) client-ip=208.113.175.8;

Authentication-Results: mx.google.com; spf=pass (google.com: domain of [email protected] designates 208.113.175.8 as permitted sender) [email protected]     

What happened? I can't interpretate headers, but look like google accepted the fake address!

Answer 1

Yes, this is possible. You are much more likely to have your server's IP blacklisted and your mail marked as spam if your sending emails from domains that do not resolve to the ip the email is being sent from.

I had a lot of fun with an april fools joke this way one time...

just don't do it often or you risk blacklisting. I'm not sure about tracing it back but it should be doable i think.

Answer 2

Welcome to SMTP.

It has always been the case that you can put any From address on an email that you choose, much like you can put any return address on a physical letter that you choose.

To extend the metaphor, the only way to verify that a letter was mailed by a given individual is to look at other details such as the postmark; likewise, the only REAL clue about who sent an email is the additional headers added by mail servers along the way that identify which server touched the message last.

The moral of the story: never trust a From address; security was never an intended feature of the email system. As Vint Cerf recently said about our existing Internet protocols: "We never intended for this stuff to get out."

Answer 3

Yes, the from header is just a header, anyone can claim to be anyone using email. However most mail servers will consider as spam anything where the IP address of the sending server doesn't match the DNS MX-Record for the from email address