为什么SendGrid允许我从任何地址发送电子邮件? [英] Why does SendGrid allow me to send emails from any address?
问题描述
我有一个本地python文件,我正在使用该文件通过sendgrid的SMTP发送电子邮件:
I have a local python file that I'm using to send emails through sendgrid's SMTP:
gmail_sender = "example@gmail.com"
server_username = "apikey"
server_password = prod.CONFIG['sendgrid_SMTP']
server = smtplib.SMTP_SSL('smtp.sendgrid.net', 465)
server.login(server_username, server_password)
email_information['From'] = gmail_sender
server.sendmail(email_information['From'], email_information['To'],
email_information.as_string())
我对谁发送电子邮件感到困惑.我用多封不同的电子邮件替换了gmail_sender,而不必为这些电子邮件提供密码,我可以通过sendgrid的SMTP发送电子邮件.在我发送的电子邮件的发件人"部分中,它表示我放置为gmail_sender的电子邮件以及通过sendgrid.net".我可以确定好像有人发送了电子邮件,这不是安全问题吗?
I'm confused about who is sending the email. I replaced gmail_sender with multiple different emails, and without having to give the password to those emails, I could send an email through sendgrid's SMTP. In the from section of the email I sent, it says the email I put as the gmail_sender plus "via sendgrid.net." I can make it seem like anyone sent the email, isn't this a security concern?
任何指导表示赞赏:)
推荐答案
另一种选择是令人生畏的.您必须从技术上向他们证明,您要发送的每个地址实际上都是您的.
The alternative is rather daunting. You would have to technically prove to them that every address you want to send from is actually yours.
某些服务要求您通过给您一个唯一的cookie并告诉您将其发布到域的DNS记录中,来证明您是一个域.如果您可以控制域的DNS,则可以控制该域.但是,电子邮件没有类似的机制-您可以在电子邮件上伪造发件人,以证明您拥有地址.
Some services require you to prove that a domain is yours by giving you a unique cookie and telling you to publish it in the domain's DNS records. If you have control over the DNS for a domain, you have the control over the domain. But there is no similar mechanism for email - you could simply forge the sender on the email which is supposed to prove that you own the address.
无论如何,对您要使用的每个域进行此苦难已经很麻烦了.想象一下对于想要使用数十个,数百个甚至数千个不同发件人地址的客户意味着什么.
Anyway, going through this ordeal for every domain you want to use is already a chore. Imagine what it would mean for clients who want to use dozens, hundreds, or even thousands of different sender addresses.
Sendgrid服务条款具有一些有关网络滥用的通用语言,可能适用于使用他人的电子邮件地址.在他们的服务条款中,我找不到关于地址伪造的具体信息.合同中有法律限制(并强制执行!),使他们无需实施技术限制.
The Sendgrid terms of service have some general language about network abuse, which probably apply to using somebody else's email address. I could find nothing specific about address forgery in their ToS. Having a legal restriction in a contract (and enforcing it!) relieves them from the need to implement a technical restriction.
这篇关于为什么SendGrid允许我从任何地址发送电子邮件?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!