使用 MX 记录验证电子邮件地址
场景:
我的网络应用程序上有一个联系表单,它收到了大量垃圾邮件。
我正在宽松地验证电子邮件地址的格式,即 ^.+@.+\..+$
我正在使用垃圾邮件过滤服务(defensio),但返回的垃圾邮件分数与有效邮件重叠。在阈值为 0.4 时,一些垃圾邮件会通过,一些客户的问题会被错误地放入日志中并显示错误。
所有垃圾邮件均使用虚假电子邮件地址,例如 [email protected]
专用 PHP5美国的Linux服务器,mysql,仅记录垃圾邮件,通过电子邮件发送非垃圾邮件消息(不存储)。
建议: 使用 php 的 checkdnsrr(preg_replace(/^.+?@/, '', $_POST['email']), 'MX') 检查电子邮件域名是否解析为有效地址,登录文件,然后对无法解析的邮件进行重定向并显示错误,如之前一样继续使用垃圾邮件过滤服务,以获取根据 checkdnsrr() 解析的地址。
我读过(我自己对此表示怀疑),您永远不应该将这种类型的验证留给远程查找,但为什么呢?
除了连接问题之外,无论如何我都会遇到比联系表格更大的问题,checkdnsrr 会遇到误报/漏报吗?
是否会有某些地址类型无法解析?政府地址? IP 电子邮件地址?
我是否需要转义传递给 checkdnsrr() 的主机名?
解决方案: 所有三个答案的组合(希望我可以接受多个答案作为复合答案)。
我正在使用:
$email_domain = preg_replace('/^.+?@/', '', $email).'.';
if(!checkdnsrr($email_domain, 'MX') && !checkdnsrr($email_domain, 'A')){
//validation error
}
所有垃圾邮件都被记录和轮换。 以期稍后升级到作业队列。
有人提出了一些关于要求邮件服务器进行用户验证的评论,我觉得这会导致流量过多,并且可能会导致我的服务器被禁止或以某种方式陷入麻烦,而这只是为了删除大部分正在发送的电子邮件由于服务器地址无效而被退回。
http://en.wikipedia.org/wiki/Fqdn 非常
RFC2821
The lookup first attempts to locate an MX record associated with the name.
If a CNAME record is found instead, the resulting name is processed as if
it were the initial name.
If no MX records are found, but an A RR is found, the A RR is treated as
if it was associated with an implicit MX RR, with a preference of 0,
pointing to that host. If one or more MX RRs are found for a given
name, SMTP systems MUST NOT utilize any A RRs associated with that
name unless they are located using the MX RRs; the "implicit MX" rule
above applies only if there are no MX records present. If MX records
are present, but none of them are usable, this situation MUST be
reported as an error.
感谢大家(特别是 ZoogieZork 提供的 A 记录后备技巧)
Scenario:
I have a contact form on my web app, it gets alot of spam.
I am validating the format of email addresses loosely i.e. ^.+@.+\..+$
I am using a spam filtering service (defensio) but the spam scores returned are overlapping with valid messages. At a threshold of 0.4 some spam gets through and some customer's questions are wrongly thrown in a log and an error displayed.
All of the spam messages use fake email addresses e.g. [email protected]
Dedicated PHP5 Linux server in US, mysql, logging spam only, emailing the non spam messages (not stored).
Proposal:
Use php's checkdnsrr(preg_replace(/^.+?@/, '', $_POST['email']), 'MX') to check the email domain resolves to a valid address, log to file, then redirect with an error for messages that don't resolve, proceed to the spam filter service as before for addresses that do resolve according to checkdnsrr().
I have read (and i am sceptical about this myself) that you should never leave this type of validation up to remote lookups, but why?
Aside from connectivity issues, where i will have bigger problems than a contact form anyway, is checkdnsrr going to encounter false positives/negatives?
Would there be some address types that wont resolve? gov addresses? ip email addresses?
Do i need to escape the hostname i pass to checkdnsrr()?
Solution:
A combination of all three answers (wish i could accept more than one as a compound answer).
I am using:
$email_domain = preg_replace('/^.+?@/', '', $email).'.';
if(!checkdnsrr($email_domain, 'MX') && !checkdnsrr($email_domain, 'A')){
//validation error
}
All spam is being logged and rotated.
With a view to upgrading to a job queue at a later date.
Some comments were made about asking the mail server for the user to verify, i felt this would be too much traffic and might get my server banned or into trouble in some way, and this is only to cut out most of the emails that were being bounced back due to invalid server addresses.
http://en.wikipedia.org/wiki/Fqdn
and
RFC2821
The lookup first attempts to locate an MX record associated with the name.
If a CNAME record is found instead, the resulting name is processed as if
it were the initial name.
If no MX records are found, but an A RR is found, the A RR is treated as
if it was associated with an implicit MX RR, with a preference of 0,
pointing to that host. If one or more MX RRs are found for a given
name, SMTP systems MUST NOT utilize any A RRs associated with that
name unless they are located using the MX RRs; the "implicit MX" rule
above applies only if there are no MX records present. If MX records
are present, but none of them are usable, this situation MUST be
reported as an error.
Many thanks to all (especially ZoogieZork for the A record fallback tip)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
我认为使用
checkdnsrr()进行 MX 查找没有什么坏处,而且我也不知道如何出现误报。您不需要转义主机名,事实上,您可以使用此技术,并通过与 MTA 对话并测试用户是否存在于给定主机上(但是此技术可能会给您带来一些错误)某些主机的积极作用)。I see no harm doing a MX lookup with
checkdnsrr()and I also don't see how false positives may appear. You don't need to escape the hostname, in fact you can use this technique and take it a little further by talking to the MTA and testing if the user exists at a given host (however this technique may and probably will get you some false positives in some hosts).DNS 查找有时可能会很慢,具体取决于网络流量和网络流量。拥堵,所以这是需要注意的事情。
如果我处于你的处境,我会测试一下,看看效果如何。在一周左右的时间里,将所有电子邮件记录到数据库或日志文件中,并包含一个字段来指示是否将其标记为垃圾邮件或合法电子邮件。一周结束后,查看结果,看看它的表现是否符合您的预期。
采用这种记录/测试方法可以让您灵活地进行测试,而不必担心丢失客户电子邮件。
我已经养成了在表单中添加一个用 CSS 隐藏的额外字段的习惯,如果它被填充,我认为它是由垃圾邮件机器人提交的。我还确保使用“url”或“website_url”之类的名称,这些名称对于垃圾邮件机器人来说看起来像是合法的字段名称。为该字段添加一个标签,上面写着“不要填写此字段”,这样如果某人的浏览器无法正确呈现该字段,他们就会知道不要填写垃圾邮件字段。到目前为止,它对我来说效果很好。
DNS lookups can be slow at times, depending on network traffic & congestion, so that's something to be aware of.
If I were in your shoes, I'd test it out and see how it goes. For a week or so, log all emails to a database or log file and include a field to indicate if it would be marked as spam or legitimate email. After the week is over, take a look at the results and see if it's performing as you would expect.
Taking this logging/testing approach gives you the flexibility to test it out and not worry about loosing customer emails.
I've gotten into the habit of adding an extra field to my forms that is hidden with CSS, if it's filled in I assume it's being submitted by a spam bot. I also make sure to use a name like "url" or "website_url" something that looks like a legitimate field name to a spam bot. Add a label for the field that says something like "Don't fill out this field" so if someone's browser doesn't render it correctly, they will know not to fill out the spam field. So far it's working very well for me.
MX 查找只是图片的一部分,如果您想确保电子邮件地址本身有效,那么您需要尝试向该帐户发送电子邮件。
另一种可能的情况是,有人可能只是简单地使用从受感染的计算机劫持的电子邮件帐户。当然,这种情况发生的可能性可能会小一些,但仍然会发生。
有电子邮件地址验证库可以执行此操作,只需搜索电子邮件验证即可。
所有这些都可以异步完成。我的网站上有这样的设置,在这种情况下,电子邮件保存在数据库中(用于审核目的),作业排队,然后当作业需要执行时,会在该时间点执行任何其他验证。它将繁重的工作卸载到另一个线程。
对于用户来说,看起来好像电子邮件已经发送了(它在数据库中),并且可以在内部查看,但实际的电子邮件不会被邮寄出去,直到该作业执行(可以立即执行或通过某种方式执行)时间量取决于服务器负载。
瓦尔特
An MX Lookup is only part of the picture, if you want to ensure the email address is itself valid, then you need to attempt to send an email to that account.
The other possible scenario is, someone can be simply using hijacked email accounts from a compromised machine anyway. Of course, that is probably a little bit less likely to occur, but it still does.
There are email address validation libraries out there that do this, simply search for email validation.
All of this can be done asynchronously. I have this setup on my site in which case the email is saved in the database (for auditing purposes), a job queued, then when the job comes time to execute, any additional validation is performed at that point in time. It offloads the heavy lifting to another thread.
To the user, it appears as if the email was sent already, it was (it's in the database), and can be viewed internally, but the actual email won't get mailed out until that job executes which can be immediately or some set amount of time depending on the server load.
Walter