Allow members to email each other through web app...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
seodevhead
Forum Regular
Posts: 705
Joined: Sat Oct 08, 2005 8:18 pm
Location: Windermere, FL

Allow members to email each other through web app...

Post by seodevhead »

Hey guys... I have a membership-style web app (much like forums) where members can send emails to each other from within the web application. This is very similar to what you might find in vBulletin.. the email address of everyone is concealed from one another, but if you click on "email so-and-so", it takes you to a form in vBulletin where you can send them an email message.

I'd like to set this up, but I was just thinking about how it works and it seems that any message sent would be sent using my SMTP outgoing mail-server (I'm using Swift Mailer btw). This works fine, but am I putting myself at any risk by allowing this? It would seem to me that a malicious member could send a "bad" email (with spam like keywords, etc.) to another member, who might report that message as spam... thus getting my mail server blacklisted. Do you see what I'm getting at here?

Does anyone know if this is a threat? The "From" address will be the member's email address, but obviously my server will send the message... which is the problem if one of those messages gets sent to the "spam cops".

Any guidance or suggestions on what I should do with this? Would love to hear your thoughts.

Thanks.
DrTom
Forum Commoner
Posts: 60
Joined: Wed Aug 02, 2006 8:40 am
Location: Las Vegas

Post by DrTom »

It's actually surpisingly difficult to get permanently blacklisted and just a single report just won't do it. Most of the major mail providers use automatic cutoffs at like 5,000-20,000 emails in a day from a single IP and will give you 24 hours of throwing back 421(or sometimes 521 if they really hate you) errors. Generally when your MTA gets this, it'll reattempt a bunch of times at varying intervals to see if actually goes through. I think postfix by default reattempts for like 4 days and the interval between attempts grows with each failure, and you'll never receive a 4 day blacklist unless it's A) Personal domain and they hate you B) You're a real spammer ( even then you probably own't see a 4 day ban ). Oh and for point of reference, Yahoo does a 24 hour blacklisting when they get 15,000 emails from a single IP in a 24 hour period. GMail claims to be around 10,000 from a single IP for a 24 hour period. ISPs use closer to 5000. Permanent bans are only done for repeat offenders of the 24 hour ban.


So in short, yes you're sort of opening yourself up, but not really that much. The big thing is to prevent bots from abusing your form to spam your users as normal users probably won't beable to send enough "bad" emails to actually cause a problem for your server. And even if they manage to cause *any* problem.

Unfortunately I know too much about spam :(
Post Reply