Greetings,
I just installed Webform for the first time, and quickly set up a simple "Contact Us" form that has name/email/comment fields. Anonymous users can submit the form. The entity submitting the form gets a copy of the email.
A day later, I received two bogus submissions minutes apart from separate and obviously compromised/botted hosts. In both cases, the recipient domain in the email field is bogus, meaning that it doesn't exist in DNS. It is just random alphabetic strings. The result is (1) the email to the recipient gets bounced to postmaster, and (2) the bogus submission winds up in my mailbox, wasting my time. In both cases, two unnecessary emails have been generated.
I'd like Webform to offer an option of, prior to handing off to the local MTA (sendmail, whatever), doing a verification step on the string after the '@' in the email address. If the domain exists and has a valid A or MX record, let it through. If not, throw an error.
Truth be told, I think the code necessary to cover all the edge and corner cases of address validation is breathtaking. If PHP can do a simple set of DNS queries on the recipient domain, that would be good enough as a first step....
Comment | File | Size | Author |
---|---|---|---|
#4 | email.inc_.diff | 675 bytes | jubalkessler |
Comments
Comment #1
jubalkessler CreditAttribution: jubalkessler commentedI should add that I'm requesting the domain-verification feature for the 'email' type in form components.
Comment #2
quicksketchI don't doubt that such a scenario is uncommon, but I don't think it's a very high priority to implement, especially considering it may be prone to rejecting valid e-mail addresses (thus causing an even worse situation). I'll consider any patches submitted to add this functionality, but right now Webform is simply using the Drupal core valid_email_address().
Comment #3
jubalkessler CreditAttribution: jubalkessler commentedHere's a patch to components/email.inc that simply checks whether the domain part of the entered email address has an MX or A record. This set of DNS lookups is exactly what a typical MTA does when it, in turn, gets the handoff from the webform and attempts to validate the passed recipient address. If DNS validation fails on the form, the MTA will never be in a position of generating an email bounce, and the human entering the form gets to fix the error.
By the way, I'm pretty sure this may not be complete enough as a patch for your module's use. (I'm very new to Drupal.) I just put this out to see if it worked, and it did.
I'm also pretty sure there are going to be rare cases where DNS is having a bad day, so a more complete (and "safer") patch might include a checkbox or other human-encouraged bypass mechanism to say "really submit, despite warnings?" -- in which case the form will successfully submit and MTA will silently deal with the aftermath, as it does now.
Note that if the Drupal installation depends on a local or smarthosted (e.g. upstream) MTA, then the server that Drupal resides on most likely has to be able to resolve the domain part of the email address anyway.
Comment #4
jubalkessler CreditAttribution: jubalkessler commentedForgot to attach the diff.
Comment #5
quicksketchI won't be adding this functionality to Webform because it seems prone to false positives especially considering the variety of software and platforms that Drupal is installed upon. I'd suggest implementing this as a separate module, that way you can leverage this same protection throughout your Drupal site, including things like user registration, comments, or the contact form.
Comment #6
rmcom CreditAttribution: rmcom commentedI would also be very interested in some form of email verification for webform email fields (including the simplenews email field) for a number of applications.
This has been a recurring feature request over the past years (e.g. 144352), but I fully share quicksketch's concern to add it to webform core.
A potential solution could be:
Integrate the functionality of the Email Verify module into Webform via an optional webform module that would allow using the Email Verify module's functionality instead of
From the Email Verify page:
My coding skills are not at that level, but I am happy to test anything you throw at me.
Comment #7
quicksketchThat sounds great, but working on such a module isn't what the Webform issue queue is used for. This is for features that will be included in the module itself. As I said above, we won't be including this functionality directly in the module.