I wish to code a little service where I will be able to send an e-mail to a specific address used by my server to send specific commands to my server.
I’ll check against a list of permitted e-mail addresses to make sure no one unauthorized will send a command to the server, but how do I make sure that, say, an e-mail sent by “mrzombie@thezombie.net” really comes from “thezombie.net”?
I thought about checking the header for the original e-mail server’s IP and pinging the domain to make sure it is the same, but would that be reliable?
Example:
Server receives a command from mrzombie@thezombie.net
mrzombie@thezombie.net is authorized, proceed with checks
Server checks “thezombie.net”‘s IP from the header: W.X.Y.Z
Server pings “thezombie.net” for it’s IP: A.B.C.D
The IPs do not correspond, do not process command
Is there any better way to do that?
If you can solve this for generic e-mails, you solved the problem of SPAM.
Given that the mail headers are free form text in which anyone can claim anything, you can’t do any sort of authorization nor authentication based on the mail headers. Your best bet is to authenticate the content, and there are protocols for that like S/MIME or PGP. They rely on cryptography for authentication and your server will be able to verify that the content is signed by a certificate you trust. But you’ll move the burden on the mail sender that will have to send a properly signed message. Most mail readers though support adding digital signatures to content.