Least Troublesome Email Format - email

Does anyone have a reason / preference as to the best format to send email responses from a website (payment confirmation / password reminder’s etc)?
Thanks
Jon

In your emails, use plaintext with links to your HTML pages. HTML in email is generally widely reviled as a bad idea, because it's a gigantic security hole.
Never send passwords in email, even as a reminder. Send a link to the user's registered email address that allows them to reset their password. The absolute fastest way to make me quit using your service is to send me my password via email in plaintext.

plain text. No html.

Formatted plain text, please. The system my office uses currently, I had nothing to do with designing it, sends customers a formatted plain text email that looks professional, loads quite quickly in email clients, and it prints just as it looks on the screen. Not only is HTML a security hole, it can really slow down the email downloading/opening process depending on how much extraneous content is included (background colors, images, etc.). In addition, plain text is almost guaranteed to print out as displayed on the screen whereas HTML can have issues.
For passwords, as McWafflestix said, don't send passwords to email addresses. One approach to addressing the forgotten password is to create a module on your website that sends users an email with a link confirming they forget and need to reset their password and then have them answer a secret question they created. Once the identity is confirmed, send them an email with the new temporary password with a link to log in--once they click the link and enter the temporary password, have the user enter a new personal password.

Related

Want to set up a system of sending email to users on my magento store who have forgot a password

I have set up a magento store of my own for my business of grocery products.
I have almost configured each and everything.
I have a mail server and can have as many email addresses as I require.
I have a theme set up for the store.
While a user tries to log in and has forgot a password, there is a link to click saying "Forgot Password".
On clicking it, it displays "An email has been sent to your account with new password details."
I know this will not send an email as I have to configure entire system.
I do not want to send a new password by email. Instead I want to send a link. On clicking this link, the user can go the it and have an option of password reset.
Please help me with this. It will be much much appreciated.
Magento's standard "Forgot Password" functionality works exactly as you've described - it sends a link to the user to reset his or her password - it doesn't just send a new password.
Magento uses Zend_Mail to send emails. By default, Zend_Mail will use PHP's mail() function (via Zend_Mail_Transport_Sendmail), which will usually send emails via sendmail or similar, depending on the PHP configuration.
If you have your own mail server that you'd prefer to use, you can configure Magento to use SMTP. This does require some code, but, luckily, there are some good extensions out there that already do this, like aschroder/Magento-SMTP-Pro-Email-Extension.

How to avoid remote images blocking into email

I yet read some posts on the argument, but I'd like to know if there are some "new" best practice to follow to avoid email clients (thunderbird, Outlook, gmail, ect) block remote images in a html email.
Of corse images in the email have alt description; but there is a way to be considered a secure host to which download images?
Thanks
The biggest thing that affects whether your image will load or not is user interaction. If the user has added you to their address book, responded to your email, sent replies back to you or clicked on links, the email client will add you to the white list and ensure that your emails will be delivered, rendered and isn't spam.
The best thing you can do is send engaging content and give the users a reason to interact with your email.
There are also services out there, like Return Path's Email Certification that will cost you quite a bit of money but ensure much better deliverability to their partner email providers.

Display email in recipient's language?

I'd like to send an email message that contains multiple translations. The correct translation should be displayed according to the recipient's language preferences. Possible?
There is nothing in the email message format that will let you do that. What you can do instead, is to put translated contents as attachments, or post some (translated) links to your website, that will refer recipients to translated contents.
Anyway, I think it is best to store language preferences in the user profile (provided you have one) and use this information for customizing emails. That works well, unless you are sending messages to group of people...
To the best of my knowledge, email accounts are protected from getting any information about the recipients unless they provide it. Even email clients often prevent emails from displaying pictures, since it reveals the recipient's IP address. So I also think, it's unlikely to be possible.
I agree with the idea of Pawel Dyda.

In PHP, approaches to reduce bots submit form and invalid email accounts?

I know its kinda common question, but I cant find a best answer (for now)...
What are the best approaches to reduce bots submit form and invalid email accounts in php and html?
Bots - capthca? hidden css? what else?
Invalid Email - This is truely insane job. How can I detect if the user type: user#yahooo.com, then i said the email is invalid? What if he type: user#yaho.com, user#yahoo1.com, etc... is there anyway to check whether the email is valid?
captchas are the most common way to prevent bots. Coding horror has a good article on the subject (see: http://www.codinghorror.com/blog/archives/001067.html and http://www.codinghorror.com/blog/archives/000712.html)
As to valid/invalid emails, your best bet is to require a validation step in registration. Don't activate the account until the user has used a link/special key sent in an email.
One way is to use a service like Akismet, which provide free API to hook up your form for validating form inputs against known spammers (and spam-like texts).
With so many email accounts, it is much an overhead to validate email accounts (you can always check the email string-validity (like xyz#abc.com) using regex, but not quick or light enough to check if the account is valid).
Your best bet for checking valid email addresses is to send an email to it with a random value which you have the user click on.
e.g.
Welcome to McFadder's site!
Click here to validate your email address:
http://www.example.com/validate.php?Hash=c4ca4238a0b923820dcc509a6f75849b
You then have a database table (say, called UserEmailValidate) which contains the User ID, the hash.
To validate email addresses in the form, use JavaScript regular expressions, or PHP validation.
To avoid bots abusing your form, use captchas. http://recaptcha.net/ is a free service.
I think CAPTCHA is going to be your based option, I've used ReCAPTCHA in the past:
http://recaptcha.net/plugins/php/
You can only validate the email on face value as per the RFC.
http://en.wikipedia.org/wiki/E-mail_address
You might want to send an email to them and ask them to click on a link to validate their account.
We used a cross site request forgery block in combination with a captcha and a field hidden with CSS to cut out almost all faked emails on our site. It isn't perfect, but the volume was significantly reduced. If you combined all that with a human verification of the actual email and deleting unverified accounts you could tighten up the spam net even more.
Set a session cookie of a hashed and salted secret value
Submit the form with that secret cookie and make sure the session matches the hidden form field. This beats the lazy bot submissions
Add a captcha to beat better bots
Create a hidden field called "comments" that is hidden with CSS. Put a label that says "don't fill this out or your submission will be ignored" and style that hidden as well. Anybody that fills it out is either a bot or a dumbo and you can pretend to send the email but not really do it.
Add in askimet (no experience personally) and a quick verificiation email and you have a pretty reliable net that will skim out the crap for you.
Send a confirmation email to the address provided with an activation key that the user has to use to activate their account to verify that the email is valid.
To get rid of bots, you probably want to use a captcha.
First of all you can try simply not to deal with these problems by using alternative methods (like stackoverflow does). The next thing is to check if the mail "could" be a valid by resolving the hostname and let the user play the usual captcha game. You can either do something of your own or use third party services. You can make extensive use of cookies, flash and JavaScript, however that might annoy a few users and not prevent so many spammers. What do you mean by hidden CSS? Hide certain input fields via css and give them names like URL/firstmail/name and hope that a robot - not obeying the display:none; - will fill it out? Yes, could prevent a few. The last thing is to send the user a link to the given mail to validate and activate his account, if an account is not activated within two days, just drop it. You could even go one step further and ask the user in this mail to send YOU a mail to a specific address...

Verifying a user in "Email Submission" use case

I'm building a system that allows people to submit text and photos via email in addition to standard access on the website. I'm trying to weight the security advantages of two strategies in particular for verifying submissions from a user. Here they are as follows:
To based auth: Create a secret email address per user and present this to the user for submission. This strategy has the advantage that people can send from multiple devices that might be setup with different mail accounts
From based auth: Only accept emails from addresses that are registered in the user database. The idea being that it is impractical/difficult to impersonate registered users based on the sending address.
Can you think of other possible solutions? Which strategy of the ones proposed makes the most sense to you?
I would suggest that you not use From based authentication, at least not without some additional credentials (a passphrase, etc)
It's way too easy to forge, and certainly not difficult if you know someone's email address.
If you echo the email back to the user for confirmation, you can make things a little more difficult, but realize that your service can end up being used as a sort of spamming relay. (I could send 100 upload requests to you, with a forged FROM address, and you'd go ahead and spam the real person with 100 confirmation requests)
The better option is to check the registered email address but add the need for a code within the email subject known to the user. This way if they forge the email from address, they would still need a key to authenticate the incoming email.
I would go with "from" + confirmation, to avoid forging.
I.e. receive the email, but send a response with auth token in the subject line (or in the body) back to the "from" address. The user either will need reply, or click a link to confirm the submission.
And you post the content only after confirmation.