I was wondering if it is possible for a malicious entity to add a received field in an email header pretending a stmp server received/processed an email even if that was not the case?
Thank you in advance for the help
Related
When sending bulk emails I was receiving several error messages that said:
553 5.1.3 The recipient address <john#example.com > is not a valid RFC-5321 address.
The format of the email addresses looked completely valid so I couldn't figure out at first why these messages weren't being delivered.
Upon further inspection, I noticed that the recipient email addresses for each of the failed messages had a single space on the end. It's not as hard to see in the example I provided above, but the error report I was viewing had smaller font and would sometimes put a line break where the space was, so it wasn't as obvious. By the way, I was using the SendGrid API to send these emails, but I don't think that the issue would be unique to using SendGrid.
if you are using node.js API for sending emails to people, you just need to add .trimRight() to your recipients email address in your API, so in this way the white space will be removed and you can successfully send your email. :)
I was using Django Restful Api and my mistake was, when registering the users, I had interchanged the email field with the username field. So the Smtp server was using the username as the email address used to send the verification emails. I corrected that interchanged the fields correctly and it worked.
I am building a ticketing system where users can raise a support ticket and agents can reply to the particular ticket and when the agent replied to a particular ticket I will send the reply to respective user email (email service using SendGrid).
My question is when the user replied to the agent email I will fetch that email with SendGrid inbound parser but I am stuck that how to uniquely identify for which ticket user has replied. I have two ideas attaching JWT in the header or unique email address resemble ticket id (ticket-id-2654654#example.com) but I don't what will work
You could send a custom Message-ID Header (RFC 2392) with your E-Mail. Responses to your E-Mail should then contain a References and/or In-Reply-To header containing the Message-ID of the E-Mail that was answered.
Edit: Just tested it with Zendesk and Zammad. They both seem to identify responses in that way.
You mention having a unique email address, not unlike a VERP (Variable Envelope Return Path) address. VERP is most pertinent if it's dealing with bounces, since it refers to the address used for the SMTP MAIL FROM:,
MAIL FROM:<ticket-id-2654654#example.com>
in particular it is helpful to identify which emails bounce - the email likely never arrives in a mailbox at the remote end. Note that the address used during the SMTP conversation like this will be recorded at the top of the received email with a 'Return-Path:' header.
Assuming an email doesn't bounce then how to ensure an email with a recognisable identifier comes back:
MysteriousPerson's custom Message-ID: header suggestion is excellent; also specify a VERP address in a Reply-To: header - so one or both of the identifiers you put there should be found in the reply to decode which ticket/user the original message was sent to. You have the choice of using the same VERP address in the From: header or something more human-friendly, depending on what you want the recipient to see. Since Reply-To: is specified, client software will use that for replies.
The main RFCs on SMTP and message format are likely to be helpful if you're not already aware of them.
I created an application which uses SendGrid's Inbound Parse Webhook. Whenever someone emails "whatever#mydomain.com", the email goes to SendGrid, and then SendGrid hits our server with a POST containing the email's contents. We can then feed that email data back into our main application.
I have it all working. But now I do not know how I am supposed to authenticate the messages SendGrid posts to our server. Does anyone know the best course of action for doing this? Verifying that our inbound emails actually come from authorized users of our main application?
Obviously we can check the "From" address in the headers, but I've read that these can be completely spoofed. Apparently "dkim" and "spf", two attributes of the incoming mail from SendGrid, have something to do with authorization. But i cannot find anything in the documentation, or really anywhere else for that matter, that tells me how I should be consuming these "dkim" and "spf" fields to verify message authenticity.
If anyone has any help, general, specific, or otherwise.. It would be greatly appreciated. Thanks in advance.
Well. Since this doesn't seem to be getting a lot of traction I thought I'd post my own janky-ass solution to the problem, on the off chance that anyone else runs across this issue in the future.
Disclaimer: this could be total garbage nonsense. But it appears to be working all right.
Basically I ended up taking some critical contextual information about the original message that initiated the inbound email. We encode that information in the local-part of the "Reply To" address that we set up with the SendGridMessage. Then I encrypt the encoded local-part.
When SendGrid POSTs to our server with the inbound email, we decrypt the "TO" local-part and validate the result. If it decrypts successfully, we check the "FROM", and verify that they are an actual authorized user of our main application. THEN, we verify that THAT user in question has the correct permissions to edit the information associated with the original encoded local-part of the "Reply To".
We have a web app that is able to interact with users by email messages. So a user sends a email message to us then we identify user by from/sender fields from header.
But I detected headers fields can easy be spoofed!
Is it possible somehow exactly identify email of sender? Any ideas?
Thank you!
E-mail protocol doesn't provide security. There are no standard ways to protect the header fields.
A sender can attach some secret code on each letter but it's not e-mail protocol scope.
I send an email from my smtp server, for example, setting From to anyemail#anydomain.com. The recipient will think that email comes from anydomain. How to confirm the email source?
There are several approaches to dealing with email forgery:
Use PGP or SSL signed certificates
Use SPF
check the Received headers (although this isn't reliable)
reply back to the sender and ask if they actually sent it. If you know the sender, maybe ask them in person or over the phone.
The main thing to realise is that the From: address isn't any form of guarantee about the originator of a message.
Edit: okay I now understand that you're just trying to tag the mail message somehow so that you can recognise which server generated it (in a non-secure way). Here's how using .NET's MailMessage:
System.Net.Mail.MailMessage msg = new System.Net.Mail.MailMessage();
msg.Headers.Add("X-Is-Development", "true");
Email Headers has more details.