I noticed an error, a feature, the possibility (as it is just not to call it) of sending an e-mail from any address when I wrote a regular php script to send an application from my website to the mail of my domain. Everything is implemented using the usual mail function, in which among the parameters there is the item “From”. Initially, I thought that there should only be my e-mail address, which should have been configured on the server in advance, but in fact it turned out to be completely different.
How did it happen
So, what we need to send e-mail from absolutely any (both existing and not) addresses:
1.
Your own domain and hostingI bought the usual hosting and domain
planforyou.ru from the
reg.ru registrar.
2.
Mail on the domainA regular mailbox was created (for example, test@planforyou.ru).
3.
Php scriptThe script uses the usual function mail, the sender's parameters indicate any
e-mail address.
4.
Redirect serverIt is also easily configured in the hosting control panel. In this case, the rule was set to send mail from test@planforyou.ru to my personal box.
What is the result?
Sometimes these letters fall into the spam folder (but this can all be easily corrected by digging in the mail settings on the domain), but in any case they reach. For example, I sent myself a letter from the address admin@gmail.com.
Of course, not everything is so smooth.
By pressing the buttons, you can see to whom the letter was originally sent, from which server it came, and so on. Even next to the sender's address there is an icon warning of something bad (crossed yellow lock), but what is the probability that an ordinary user will notice it? Moreover, the user's avatar (if the address exists and it is set) is loaded without any problems.
Why it works and what to do with it is no longer my business. But this opportunity seems very dangerous, with the help of it you can mislead a huge number of people.