Mail.ru Mail Security Issues
Two years ago I wrote a simple PHP script for the feedback form. Letters came to mail.ru mail. As it turned out later, there was an error in the script. I inserted the email address of the client into “From” (in fact, forged the sender), but the letters arrived, and all right.
Source:
And not so long ago I noticed that the applications stopped coming ... I checked the form - it does not work. I was puzzled, because no one touched anything, and for two years everything worked fine. In the course of the experiments, it turned out that if we use such code:
')
then you can absolutely easily fake any sender (in this case, Sberbank).
Emails come in. How spam is not determined the first time. The interface Mail.ru is written "We can not verify the authenticity of the sender," but if you collect mail using a program (for example, Outlook), then there is no inscription, of course, no.
The key place is the additional symbol ">". Without this letter symbol with a forged sender, as it should be, DO NOT come. Obviously, Mail.ru has an error in handling headers.
Checked this bug on Yandex. Yandex doesn’t have such a problem (letters with a forged sender do not even pass to the spam folder).
PS The representative of Mail.ru said “we do not consider this situation a mistake” (the quote is accurate), so I am posting this information with a clear conscience.
Source:
$email = $_POST['email']; $headers .= "From: " . $email . "\r\n"; And not so long ago I noticed that the applications stopped coming ... I checked the form - it does not work. I was puzzled, because no one touched anything, and for two years everything worked fine. In the course of the experiments, it turned out that if we use such code:
')
$email = " <help@sberbank.ru"; $headers .= "From: " . $email . ">>\r\n";
then you can absolutely easily fake any sender (in this case, Sberbank).
Emails come in. How spam is not determined the first time. The interface Mail.ru is written "We can not verify the authenticity of the sender," but if you collect mail using a program (for example, Outlook), then there is no inscription, of course, no.
The key place is the additional symbol ">". Without this letter symbol with a forged sender, as it should be, DO NOT come. Obviously, Mail.ru has an error in handling headers.
Checked this bug on Yandex. Yandex doesn’t have such a problem (letters with a forged sender do not even pass to the spam folder).
PS The representative of Mail.ru said “we do not consider this situation a mistake” (the quote is accurate), so I am posting this information with a clear conscience.
Source: https://habr.com/ru/post/357408/
All Articles