How to confirm sender of an incoming email? [duplicate]
https://stackoverflow.com/questions/9035015
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Possible Duplicate:
how to confirm email source
I would like to know how do email services such as Hotmail and Yahoo confirm that the "From" header was not spoofed. I mean, you didn't try to send an email in behalf of someone else.
I was now trying to spoof on Facebook Messages, using a php script to send an email to my @facebook.com email, spoofing the "From". I received it in behalf of that friend account. However, an alert saying "Unable to confirm --Friend Name-- as the sender." appeared.
What does Facebook (and other services) do to confirm that?
Please note that extensions (emailname+extension@mydomain.com) would not work for me. My idea is to simulate something similar as Facebook Messages support for emails.
I believe that just checking headers is not enough. I assume I'll have to check DNS/SPF stuff, but I'm not sure how to do that, and even what to do.
It would help me allot if you could indicate me some "algorithm" (preferentially in php) with steps to check for spoofing. Thank you!
Solution
As a domain owner you can implement SPF into your DNS zone. It allows you to set IP addresses of servers that are allowed to send mail on behalf of your domain. If another IP tries to send mail with your domain name as sender, it will be rejected by any mailserver that checks for SPF (and luckily, more and more start doing so!). There is never a hard guarantee that no one will ever send spoofed mail out of your name, but it significantly reduces the chance.
OTHER TIPS
As Oldskool suggests, SPF is a widely used method for detecting falsified From (and reply-to) addresses - however most email providers use a much wider barrage of checking to seperate spam from ham.
Spamassassin is an open source project provide both a management program and a set of plugins (and an API for developing your own) including SPF for validating emails.
