Mandrill has inbound email processing, in which you can setup a catch-all address for which incoming e-mail will be posted to a specified URL.
For example, e-mails to *#sub.domain.com could get posted to http://mydomain.com/process.
Is there a service that will work this way but that allows to "re-route" the e-mails? Say if a post to the URL above returns a specific code, say 403, the e-mail will be swallowed, but when a 200 code is returned, the e-mail gets sent to a specific address, without modification, just as if it was originally sent to that address.
I guess I could code a script that would just re-send the e-mail, but I don't want to run into deliverability issues.
I'm not sure I'm explaining this clearly, so here's a specific example:
E-mail to newsletters#sub.domain.com is received by a Mandrill-like service (the receiver)
That service posts the e-mail to http://mydomain.com/process (let's call this the processor)
The processor either:
Returns a 403, in which case nothing else happens
Returns a 200, and a destination address, and then the receiver delivers that e-mail to the new destination
EDIT: I realize I could just use Mandrill to re-send the e-mail, but wouldn't I run into problems given I won't be the original sender? For example, if I receive an e-mail from support#microsoft.com and then I re-send that e-mail to another address, could I be flagged as a spammer or have other issues with deliverability? So this might not be possible at all?
It seems it is indeed impossible to do what I want, otherwise anybody could spam the world with no problems, however, Mandrill just added this feature, which might come in handy:
http://help.mandrill.com/entries/23374656-Can-I-send-emails-on-behalf-of-my-clients-
This is just an experiment, but I'm going to try and resend mails to my own server instead of forwarding to the original receiver, so then an e-mail client can pull the messages from there.
Related
Just for knowledge purposes, I want to know if it is possible to know if email spoofing has been done successful or not . Suppose if I am sending an email from one's account, What if receiver doesn't exist? Means will i get any error as a spoofer that receiver doesn't exist and you cant send email . Thanks
There is no way to know for certain, but you can make an educated guess.
First, when sending an email to a non-existent recipient and the recipient's server is configured to report this to the sender (pretty much the default behaviour), this reporting can happen either:
1) During the email transmission. The SMTP conversation with the recipient's server may very well fail at RCPT TO: (i.e. when the recipient is specified) or at the end of the DATA or BDAT commands (i.e. when the email just have been transmitted and the server either acknowledges this or rejects the email). If you receive an 5xx-type response at either stages, or, well, anytime earlier in the conversation, you can be sure the recipient did not get the message. Validation during email transmission is common.
2) After the email transmission. Servers that don't do recipient validation on SMTP level will often accept and queue emails during the transmission, then generate a bounce report (also called a Delivery Status Notification/DSN or Non-Delivery Report/NDR) later and attempt to return it to the original message sender. As you have no access to the mailbox of the original message sender when spoofing, you will have no idea if such bounce report is generated. This method of validation is still fairly common.
Second, you can embed a tracking image in your HTML email to see if the email was opened. This works by placing a HTML <IMG> element in the email that points to e.g. http://example.org/tracking-1x1.gif?uuid=<id>. The idea is that you track whether that image was downloaded. Be aware that virtually all modern email clients will disable downloading images from unknown sources and some action is required from the recipient to enable downloading images.
Third, you can spoof the MIME sender only. Emails have two distinct set of addressee information: the envelope addressees and the MIME addressees. Emails are delivered based on what's written on the envelope, but email clients render the MIME information instead (what's inside the envelope). In other words, during the SMTP transmission you may specify a different sender address (MAIL FROM: command) from that in the email (From: header). The fun part is that bounce reports are sent to the envelope sender address, a.k.a. the Return-Path, so if you have access to the envelope sender mailbox, you can receive a bounce report no matter what stage it was rejected. Note that you will reveal yourself, either through the mail server logs or through the email header, where the Return-Path header will contain the envelope sender address.
Please use the above information for "knowledge purposes" only. Be aware that email spoofing is likely a crime in just about any country.
I'm creating an email a friend type system where I need our mail server to send emails from the user of the site to their friend, i.e. from fred#gmail.com, to tony#gmail.com.
If, as is the case in this example, the user's are both part of Gmail the friend would receive an email with the warning "This message may not have been sent by: fred#gmail.com.
I thought that by then adding a 'sender' header with our email (e.g. us#company.com) this should indicate to Gmail that we are the sender and are effectively openly spoofing the sender at their request. Is this true, can you get around Gmail's warning using the 'sender' header?
I realise this is similar to the following question but I'm more interested in whether the sender header should have an effect: Email sent from web server causes gmail to treat as phishing. How to get rid of this?
More info:
I'm using netmailbot to send emails from our mail server using the '-customheader' parameter with 'sender' and 'x-sender' e.g. '-customheader sender:us#company.com x-sender:us#company.com'
If gmail doesn't fail miserably, you have no way to suppress this warning.
Google is in control of both accounts and therefore knows, that this mail wasn't send by fred using their infrastructure.
There was used some third party infrastructure (yours) and this is all this warning is about.
You can set an arbitrary email address as "from" and Google has no knowledge if this is legitimate use (if fred really wrote the message). Anyone could have written that message. Normally fred would use Googles infrastructure to send mails and then they would know its him.
A cleaner solution would be to put your email address ("noreply#company.com") as from header (that would be honest) and set fred#gmail.com as reply-to header (so he gets the replies).
I'm usign amazon cloud services to host my webpage. Our web site, actually sends a lot of emails per hour. In one instant our server could be asked to send 30 mails or more.
Sometimes our clients complaint about not getting emails from the web, which is connected to our mail server to send emails. This doesn't happen if we send the email directly from our addresses to theirs, so I'm pretty much know is the web page who's causing the problem.
The thing is I don't know what is happening and neither know what to look for. I've checked memory and cpu of that server and everything seems to work fine
make sure your website sends the messages with a correct bounce address (aka envelope sender address). this does not have to be the same thing as the address in the From: header. by default, this is often something like "apache#www.example.com" - I don't know about amazon). these types of bounce addresses are bad because usually you don't receive the error message if something goes wrong. use a real email account. To check what bounce address you currently use, look at the message source of a received mail and see the Return-Path header.
check the logs of your mailserver for those missing messages. either it reports an error (in which case you should get the error to your bounce address) or it reports the message as sent to the target server (in which case you tell your clients to check THEIR maillogs since you can prove you have sent the message)
I'm designing a capability to send emails out for my app.
I was wondering once I send out an email, is there anyway to find out whether
the email address exists and is real
the email was received
if not received, what the problem was? (mailbox full, email
address
invalid etc.)
the email was read (probably asking too much
but
would be good)
Do I get any feedback at all?
I'm using the SMTPClient in the .NET framework to do this.
no. You can find out if the target server accepts the address. but you can not find out if the account really exists. even if the server accepts the address it could be bounced later.
no. if you don't get a bounce, you have to assume it was delivered. there is no guarantee. it could have landed in a spam box etc.
if a mail is not received you either get a bounce message (or depending on how you send the message you get the error directly in the smtp transaction while sending it to the target server).
no. you can request a read-receipt or do fancy stuff like embedding links to external tracker images. but all this stuff is usually blocked by default.
I have a web app that only registered users can use, therefore I should have a valid e-mail address for the creator of the message.
One part of this web app will allow a user to create and send a e-mail message to an e-mail address that the user enters. My web server will be creating and sending the e-mail, however if there is a delivery problem with the e-mail I would like the bounce to go to the user's e-mail address instead of the server. This will allow the user to know that there was a problem delivering the message and they can take the appropriate action.
Would setting the "return-path" attribute to the user's e-mail address handle this?
As RFC2821 says:
The primary purpose of the Return-path is to designate the address to which messages indicating non-delivery or other mail system failures are to be sent. For this to be unambiguous, exactly one return path SHOULD be present when the message is delivered.
So yes, all standard compliant servers should account for the Return-path you set.
You could set up windows service on your server to periodically check BadMail folder and parse the bounced messages and resend them to the original sender. This solution would work in most cases. I don't think return-path would help in every instance (if it would at all), because different mail servers handle bounces differently.