使用php mail（）发送邮件 - 滥用'从'电子邮件地址 [英] Sending mail using php mail() -- abusing 'from' email address

问题描述

我正在php中使用mail（）函数实现联系表单。在联系表单中，我要求用户的电子邮件地址，并在提交后发送他们的消息到我自己的电子邮件地址。

这是我的PHP代码：

  $ to ='myemail@gmail.com'; 
 $ from_name = $ _POST ['InputName']; 
 $ from_email = $ _POST ['InputEmail']; 
 $ subject ='来自'的消息$ from_name; 
 $ message = $ _POST ['InputMessage']; 
 $ headers ='From：'。$ from_email。\r\\\
。'Reply-To：'。$ from_email。 
\r\\\
。'X-Mailer：PHP /'。phpversion（）; 
 $ mailsuccess = mail（$ to，$ subject，$ message，$ headers）; 
  

经过测试，我意识到一个人可以向我发送一封电子邮件，伪装成别人的有效电子邮件地址。例如，在测试期间，我使用了我朋友的电子邮件并发送了一个消息。这不是安全问题吗？在我的Gmail帐户中，我确实收到了一封警告，表示这封电子邮件可能不是来自该人的，但如果不明确是垃圾邮件，我通常会忽略该警告。

如果Bob（bob@gmail.com）通过联络表单发送消息，以伪装为Chris（chris@gmail.com），我将在我的电子邮件中回复Chris。克里斯认为他的电子邮件被黑客入侵，因为他从未发过这封电子邮件。这通常是一个问题吗？还是有办法让它更安全？

解决方案

这被称为电子邮件欺骗。 SMTP不是一个非常安全的协议。总是有可能欺骗。不幸的是，除非地球上的每个电子邮件服务器都进行修改，否则这是不可能的。

这是很多网络钓鱼和垃圾邮件发生的原因。 p>

I'm implementing a contact form in php using the mail() function. In the contact form, I ask for the user's email address, and upon submission I send their message to my own email address.

Here is my php code:

    $to = 'myemail@gmail.com';
    $from_name = $_POST['InputName'];
    $from_email = $_POST['InputEmail'];
    $subject = 'Message from '.$from_name;
    $message = $_POST['InputMessage'];
    $headers = 'From: '.$from_email."\r\n".'Reply-To: '.$from_email.
        "\r\n".'X-Mailer: PHP/'.phpversion();
    $mailsuccess = mail($to,$subject,$message,$headers);

After testing this, I realize a person can send me an email masquerading as someone else's valid email address. For example, during testing, I used my friend's email and sent myself a message. Isn't this a security problem? In my gmail account, I did get a warning that this email may not be from that person, but if it's not clearly spam I usually ignore that warning.

For example, if Bob (bob@gmail.com) sends a message through the contact form masquerading as Chris (chris@gmail.com), I will respond in my email to Chris. Chris thinks his email is hacked because he never sent that email. Is this generally an issue? Or is there a way to make it safer?

解决方案

It's called email spoofing. SMTP is not a very secure protocol. It's always been possible to spoof. Unfortunately there is no way around it unless every email server on earth makes changes to fix that, which is unlikely.

It's how a lot of phishing and spam happens.

这篇关于使用php mail（）发送邮件 - 滥用'从'电子邮件地址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！