2

Possible Duplicate:
how to confirm email source

I would like to know how do email services such as Hotmail and Yahoo confirm that the "From" header was not spoofed. I mean, you didn't try to send an email in behalf of someone else.

I was now trying to spoof on Facebook Messages, using a php script to send an email to my @facebook.com email, spoofing the "From". I received it in behalf of that friend account. However, an alert saying "Unable to confirm --Friend Name-- as the sender." appeared.

What does Facebook (and other services) do to confirm that?

Please note that extensions (emailname+extension@mydomain.com) would not work for me. My idea is to simulate something similar as Facebook Messages support for emails.

I believe that just checking headers is not enough. I assume I'll have to check DNS/SPF stuff, but I'm not sure how to do that, and even what to do.

It would help me allot if you could indicate me some "algorithm" (preferentially in php) with steps to check for spoofing. Thank you!

Community
  • 1
  • 1
Nuno
  • 3,082
  • 5
  • 38
  • 58

2 Answers2

1

As a domain owner you can implement SPF into your DNS zone. It allows you to set IP addresses of servers that are allowed to send mail on behalf of your domain. If another IP tries to send mail with your domain name as sender, it will be rejected by any mailserver that checks for SPF (and luckily, more and more start doing so!). There is never a hard guarantee that no one will ever send spoofed mail out of your name, but it significantly reduces the chance.

Oldskool
  • 34,211
  • 7
  • 53
  • 66
  • I see. But, isn't IP spoofing allowed as well? I mean, you spoof "From" and spoof IP using one of the included on SPF record. Thank you. – Nuno Jan 27 '12 at 13:54
  • 1
    In general you can't spoof your IP address on a TCP connection - the server you connect to has to know the real ip address to send back it's half the connection. – jcoder Jan 27 '12 at 13:59
  • Ah! That's good then. So all I need to do in my php script, is to check the IP and see if it is listed in the SPF record of the domain of From, and that's all? Please just confirm this with me. Thank you for your useful answer! – Nuno Jan 27 '12 at 14:05
  • 1
    SPF is for IP authorization specifically. A domain can designate which servers are allowed to send email in its name (or it can designate "anything goes"; the spec is decidedly flexible). The checking should happen on the server which accepts mail for you; it knows which IP address is connecting to it (TCP requires handshakes, so cannot really be spoofed). – tripleee Jan 27 '12 at 16:22
  • 1
    SPF is actually spoof-able, so the only real rock-solid way of "confirming senders" is through DKIM signatures. Those are very difficult to spoof, and are actually what Hotmail and Yahoo are really looking for. – JonLim Jan 27 '12 at 18:32
  • Thank you for all of your comments. I'll have to research for methods of validating DKIM and, eventually, SPF, through PHP, if possible. Your help was worth to me! – Nuno Jan 27 '12 at 19:53
1

As Oldskool suggests, SPF is a widely used method for detecting falsified From (and reply-to) addresses - however most email providers use a much wider barrage of checking to seperate spam from ham.

Spamassassin is an open source project provide both a management program and a set of plugins (and an API for developing your own) including SPF for validating emails.

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • So, I'm now curious. If my cPanel has Spamassassin, can I just auto-delete "invalid" messages directly from there, so that I don't need to worry with the PHP part that checks for piped emails? Or, isn't that a good idea (or even possible)? Thank you! – Nuno Jan 27 '12 at 14:55
  • No - you want to keep and manage your spam to train the bayesian filters. – symcbean Jan 30 '12 at 08:59