We are allocating emails to their online account. We discovered you can send a false email with a script by changing the "from" or "reply-to" in the email header. There must be a safe way to test the authenticity of this email - that is genuinely from the correct domain or email server that is allowed to send this email address?
Below is an example of a false email address that we managed to send to our online platform and by looking at the "from" managed to allocate it to that person's account. The example here fakes the user1@companydomain.com and managed to get through to the user's account by the PHP IMAP script using the from address to allocate the email to the user's account. Any suggestions how to safely/automated way to do this will be appreciated.
Delivered-To: upload@ouronlineplatform.com
Received: IP with SMTP id GHVKHOHBLL;
Thu, 16 Oct 2014 12:11:16 -0700 (PDT)
X-Received: by IP with SMTP id p3mr4338460wjo;
Thu, 16 Oct 2014 12:11:15 -0700 (PDT)
Return-Path: <daemon@mymacbook.local>
Received: from mymacbook.local (hostipxxxx.btcentralplus.com. [IP])
by mx.google.com with ESMTP id xxxxxxxxx5
for <upload@ouronlineplatform.com>;
Thu, 16 Oct 2014 12:11:15 -0700 (PDT)
Received-SPF: none (google.com: mymacbook.local does not designate permitted sender hosts) client-ip=IP;
Authentication-Results: mx.google.com;
spf=neutral (google.com: daemon@mymacbook.local does not designate permitted sender hosts) smtp.mail=daemon@mymacbook.local
Received: by mymacbook.local (Postfix, from userid 1)
id E6F761687C71; Thu, 16 Oct 2014 20:11:14 +0100 (BST)
To: upload@ouronlineplatform.com
Subject: testing
X-PHP-Originating-Script: 501:email_spoofing2.php
From: user1@companydomain.com
Reply-To: user1@companydomain.com
X-Mailer: PHP/5.4.31
Message-Id: <20141016191114.E6F761687C71@mymacbook.local>
Date: Thu, 16 Oct 2014 20:11:14 +0100 (BST)
hello
Aucun commentaire:
Enregistrer un commentaire