Safety regarding e-mails, web pages and so...

Question

0.00/5 (No votes)

See more:

Hello all,

I'm finishing a brand new web page, and I'm preparing all the e-mail contact form.

After receiving help from some nice :bob:ians, I've decided to go for a form based method to contact our company, doing that I keep as safe as possible the e-mails and avoid the spam (not 100%, but at least nobody will be able to harvest the mail address).

Now I'm thinking on sending a confirmation e-mail.
Is that clever?

On the customer side he/she will receive a mail notification with all the details of his/her question, but... is this a bad move? are the spam bots and/or other bad guys out there using this to get the original mail address and flood it with spam? Or should I take my aspirin, go to sleep and tomorrom implement a small PHP mail call and send my customers a nice confirmation email?

Thank you all!

What I have tried:

Nothing, just wondering if it is a good thing to do or not...
I've read somewhere that it is not a good thing to send an automated email back to anyone that is sending an email to a wrong address inside our domain as this is giving the attacker a valid mail address... truly it is amazing how things are working when the bad guys appear...

Posted 4-Apr-16 9:54am

Joan M

Updated 4-Apr-16 11:03am

Add a Solution

Comments

Richard Deeming 4-Apr-16 16:06pm

Never mind collecting your email address - the spam bots will be able to use your form to send spam from your company to any email address they like! They won't even need to spoof the address, because the email will be sent by your website, via your legitimate mail server.

Joan M 4-Apr-16 16:23pm

That's right... yes, I love programming robots, they can kill you, but it is more peaceful than this web thing... :D
Post this as an answer so I'll be able to vote you and accept it as a solution.
Thank you Richard!

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Sergey Alexandrovich Kryukov · Accepted Answer · 2016-04-04T11:03:00

Quite apparently, without confirmation e-mail, even if you use some mail address internally, to forward post data to you via main, you never expose this mail address.

And if you write e-mail confirmation, you apparently expose some address, from/reply-to one. The customer can actually send a mail.

Now, simple logic should show you: you have the only reason for this message to be a mail is really want those mails from the users. And, set aside possible mail harvesting, those people can spam themselves or cell your address to spammers. Your choice. Sometimes you really want them to write mails to you, but then deal with consequences.

If you don't need that real mail messages from customers, you don't need sending them confirmations. Why sending a confirmation to some presumably "no reply" address? (If you never read those mails, you can automatically redirect them nowhere, but why receiving them at all? :-)). You could simply form a temporary Web page (just HTTP response, show user information and other message detail) and write "this is what we received from you". Really received. The only additional confirmation a mail can give you is that the user's mail address is real. Now, think thoroughly, why would you need to know that? I'm serious. You will know that only when a user actually send you a mail message. But then some your address is exposed. Now, think thoroughly. Let's supposed the user's mail address is fake. But then you will never know the real address anyway. You can safely assume it's real. It's only needed when you want to write to this user, not through automatic confirmation. And if the address is fake, you cannot do anything with it. All you need is simple logic. Have I missed something?

But now, if you want those messages (not mail messages, but HTTP posts) from users, you have to read those posts. As an alternative to mail, you can simply collect message data on server, clean unwanted messages, and so on. My experience shows: spam on HTTP post does exist, but it always orders of magnitude less then mail spam.

By the way, mail address harvesting is not the only possible exploit, and not the worst. If your scrip is not carefully written and does send mail, a malicious artist can turn your own host into a zombie sending spam, in no time. This is my explanation of this simple exploit, from real life: unable to send mail , it showing the error in below code .[^].

You also cannot really rely on mail tracking:
Regular expression form email validation not working[^],
Email tracking — Wikipedia, the free encyclopedia[^].

—SA