开发者

Check if sender is valid with imap in C#

I know it is po开发者_如何转开发ssible to send an email with a fake address to impersonate someone else. I seen automated emails coming from my friend email address that he sent to me but did not write himself.

I know email servers ask the email provider if they really sent the message and if it is no it tends to go into spam or is marked untrusted. How do i access this data in my app? I havent chosen an imap library and thats because i dont know which may support this.


This functionality is not supported by imap.

Some servers store information like this in the header of the mail (like spamassassin info or SPF checks) so that is available with any imap library but depends highly on the mail server the app is connecting to.


In general it's not possible with IMAP. IMAP is intended for reading email, not for sending. You may try to fake email sender when sending email via SMTP protocol.

This is exactly what spam senders do (and what mail servers tries to detected).

It used to easy. SMTP dialog follows:

        S: MAIL FROM:<your.friend@example.com>
        R: 250 OK

        S: RCPT TO:<somene@example.com>
        R: 250 OK

        S: DATA
        R: 354 Start mail input; end with <CRLF>.<CRLF>
        S: Blah blah blah...
        S: ...etc. etc. etc.
        S: <CRLF>.<CRLF>
        R: 250 OK

But now things are getting more interesting. There is still race of arms between those two - for example:

Attack

Try to submit false "FROM:" address during communication with SMTP server.

Defense: SMTP server may require you to authenticate and allow only 'from' address associated with your account.

Another attack

Try to use third party SMTP server that has no such rule.

Defense (third party SMTP server): Allow sending only emails with 'from' domains matches with 'own' domains.

Defense (recipient's SMTP server): Add SPF record to your domain. This records includes all hosts that are allowed to send email with sender in this domain. If the email is sent from not allowed host increase it's spam score or delete it.

Another attack

Infect computer which is allowed to send email for specified domain with virus and send emails using it.

Defense: Educate users and/or use good antivirus.

And so on... There will be always ways how to fake sender's email address and how to fake it. Check following links for more info:

  • RFC 821 - SMTP
  • So You'd Like to Send Some Email (Through Code)
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜