4

I am trying to secure my website for any potential DDoS attacks by using cloudflare services. I am hosting all the emails with Google and I am using PHP Mailer to connect to Gmail SMTP and send emails via that.

After all this it seems that any attacker can easily find the original IP of my server by using any feature from my website that sends him an email, because even though I am using Gmail SMTP, the server's IP still appears in the headers:

Received: from www.domain.com (mail.domain.com [1.2.133.233])

Currently I do not know how to keep sending emails from my website while also protecting my server's privacy and hiding the IP (or showing the IP of the SMTP instead). There are some features on my website that require automatic email sending so I cannot disable that unfortunately.

Should I use GMAIL API? Would that be any better?

Or should I use other service for sending emails, like a remote service?

Any suggestions please?

NVG
  • 3,248
  • 10
  • 40
  • 60
  • I highly doubt Gmail would let you send email anonymously using their SMTP servers like that. – Mike May 02 '16 at 16:34
  • @Mike You mean even if using the Gmail API? – NVG May 02 '16 at 16:40
  • You could always try it and see what happens. I've never used the API for sending mails before, only SMTP. – Mike May 02 '16 at 16:54
  • @Mike Thanks for the extremely "useful" suggestion. – NVG May 02 '16 at 17:17
  • No need to get hostile there. It should probably take you 10-15 minutes to [set up the Gmail API](https://developers.google.com/gmail/api/quickstart/php) and get a simple script going to test [sending mails](https://developers.google.com/gmail/api/v1/reference/users/messages/send). – Mike May 02 '16 at 17:27
  • @Mike I felt it was simpler to ask a basic question related to Gmail API rather than doing this myself. If you want to be helpful, then please show it. Don't waste time telling things that I already said (that if I use SMTP Gmail, then it will show the IP). I am not hostile, but you are sounding like a robot. You repeat stuff from my post and then you tell me to try and see what will happen. Nothing useful. – NVG May 02 '16 at 17:35

2 Answers2

2

You could use a service like MailGun

It's easy to set up, free unless you are high volume, and it's considered good practice if these are transactional emails.

I use the service with most of our sites and I just double checked that the site IP is not disclosed.

Good luck!

David Taiaroa
  • 25,157
  • 7
  • 62
  • 50
1

Either:

a) Use a remote mail exchanger. Some will add a FORWARDED_FOR header, but most strip that out upon receiving it.

b) Use a different IP for e-mailing so that in the event of an attack against you, you can null that IP, rendering only email down.

c) Look at options that provide you with DDoS mitigation for the backend server.

CmdrSharp
  • 1,085
  • 13
  • 30
  • Adding to this, using a remote mail exchanger can, depending on the type of e-mails you're sending, be very benefical in terms of improving deliverability and not having to deal with IP reputation as well. – CmdrSharp May 02 '16 at 16:34
  • Can an example of a "remote mail exchanger" be given? – NVG May 02 '16 at 16:41
  • MailGun, Mandrill (now MailChimp), SendGrid - these are some of the most popular transactional services. – CmdrSharp May 02 '16 at 16:42