tags:

views:

31

answers:

2
Q: 

Check if sender is valid with imap in C#

I know it is possible to send an email with a fake address to impersonate someone else. I seen automated emails coming from my friend email address that he sent to me but did not write himself.

I know email servers ask the email provider if they really sent the message and if it is no it tends to go into spam or is marked untrusted. How do i access this data in my app? I havent chosen an imap library and thats because i dont know which may support this.

+1  A: 

This functionality is not supported by imap.

Some servers store information like this in the header of the mail (like spamassassin info or SPF checks) so that is available with any imap library but depends highly on the mail server the app is connecting to.

Martin S  2010-08-11 09:13:31
great answer. (2chars to go)
acidzombie24  2010-08-11 09:18:41
+1  A: 

In general it's not possible with IMAP. IMAP is intended for reading email, not for sending. You may try to fake email sender when sending email via SMTP protocol.

This is exactly what spam senders do (and what mail servers tries to detected).

It used to easy. SMTP dialog follows:

        S: MAIL FROM:<[email protected]>
        R: 250 OK

        S: RCPT TO:<[email protected]>
        R: 250 OK

        S: DATA
        R: 354 Start mail input; end with <CRLF>.<CRLF>
        S: Blah blah blah...
        S: ...etc. etc. etc.
        S: <CRLF>.<CRLF>
        R: 250 OK

But now things are getting more interesting. There is still race of arms between those two - for example:

Attack

Try to submit false "FROM:" address during communication with SMTP server.

Defense: SMTP server may require you to authenticate and allow only 'from' address associated with your account.

Another attack

Try to use third party SMTP server that has no such rule.

Defense (third party SMTP server): Allow sending only emails with 'from' domains matches with 'own' domains.

Defense (recipient's SMTP server): Add SPF record to your domain. This records includes all hosts that are allowed to send email with sender in this domain. If the email is sent from not allowed host increase it's spam score or delete it.

Another attack

Infect computer which is allowed to send email for specified domain with virus and send emails using it.

Defense: Educate users and/or use good antivirus.

And so on... There will be always ways how to fake sender's email address and how to fake it. Check following links for more info:

Martin Vobr  2010-08-11 11:22:17

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?