为什么SendGrid允许我从任何地址发送电子邮件? [英] Why does SendGrid allow me to send emails from any address?

问题描述

我有一个本地python文件，我正在使用该文件通过sendgrid的SMTP发送电子邮件:

I have a local python file that I'm using to send emails through sendgrid's SMTP:

gmail_sender = "example@gmail.com"
server_username = "apikey"
server_password = prod.CONFIG['sendgrid_SMTP']

server = smtplib.SMTP_SSL('smtp.sendgrid.net', 465)
server.login(server_username, server_password)

email_information['From'] = gmail_sender

server.sendmail(email_information['From'], email_information['To'], 
    email_information.as_string())

我对谁发送电子邮件感到困惑.我用多封不同的电子邮件替换了gmail_sender，而不必为这些电子邮件提供密码，我可以通过sendgrid的SMTP发送电子邮件.在我发送的电子邮件的发件人"部分中，它表示我放置为gmail_sender的电子邮件以及通过sendgrid.net".我可以确定好像有人发送了电子邮件，这不是安全问题吗?

I'm confused about who is sending the email. I replaced gmail_sender with multiple different emails, and without having to give the password to those emails, I could send an email through sendgrid's SMTP. In the from section of the email I sent, it says the email I put as the gmail_sender plus "via sendgrid.net." I can make it seem like anyone sent the email, isn't this a security concern?

任何指导表示赞赏:)

推荐答案

另一种选择是令人生畏的.您必须从技术上向他们证明，您要发送的每个地址实际上都是您的.

The alternative is rather daunting. You would have to technically prove to them that every address you want to send from is actually yours.

某些服务要求您通过给您一个唯一的cookie并告诉您将其发布到域的DNS记录中，来证明您是一个域.如果您可以控制域的DNS，则可以控制该域.但是，电子邮件没有类似的机制-您可以在电子邮件上伪造发件人，以证明您拥有地址.

Some services require you to prove that a domain is yours by giving you a unique cookie and telling you to publish it in the domain's DNS records. If you have control over the DNS for a domain, you have the control over the domain. But there is no similar mechanism for email - you could simply forge the sender on the email which is supposed to prove that you own the address.

无论如何，对您要使用的每个域进行此苦难已经很麻烦了.想象一下对于想要使用数十个，数百个甚至数千个不同发件人地址的客户意味着什么.

Anyway, going through this ordeal for every domain you want to use is already a chore. Imagine what it would mean for clients who want to use dozens, hundreds, or even thousands of different sender addresses.

Sendgrid服务条款具有一些有关网络滥用的通用语言，可能适用于使用他人的电子邮件地址.在他们的服务条款中，我找不到关于地址伪造的具体信息.合同中有法律限制(并强制执行！)，使他们无需实施技术限制.

The Sendgrid terms of service have some general language about network abuse, which probably apply to using somebody else's email address. I could find nothing specific about address forgery in their ToS. Having a legal restriction in a contract (and enforcing it!) relieves them from the need to implement a technical restriction.

这篇关于为什么SendGrid允许我从任何地址发送电子邮件?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！