Greetings,

I just installed Webform for the first time, and quickly set up a simple "Contact Us" form that has name/email/comment fields. Anonymous users can submit the form. The entity submitting the form gets a copy of the email.

A day later, I received two bogus submissions minutes apart from separate and obviously compromised/botted hosts. In both cases, the recipient domain in the email field is bogus, meaning that it doesn't exist in DNS. It is just random alphabetic strings. The result is (1) the email to the recipient gets bounced to postmaster, and (2) the bogus submission winds up in my mailbox, wasting my time. In both cases, two unnecessary emails have been generated.

I'd like Webform to offer an option of, prior to handing off to the local MTA (sendmail, whatever), doing a verification step on the string after the '@' in the email address. If the domain exists and has a valid A or MX record, let it through. If not, throw an error.

Truth be told, I think the code necessary to cover all the edge and corner cases of address validation is breathtaking. If PHP can do a simple set of DNS queries on the recipient domain, that would be good enough as a first step....

CommentFileSizeAuthor
#4 email.inc_.diff675 bytesjubalkessler
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

jubalkessler’s picture

I should add that I'm requesting the domain-verification feature for the 'email' type in form components.

quicksketch’s picture

I don't doubt that such a scenario is uncommon, but I don't think it's a very high priority to implement, especially considering it may be prone to rejecting valid e-mail addresses (thus causing an even worse situation). I'll consider any patches submitted to add this functionality, but right now Webform is simply using the Drupal core valid_email_address().

jubalkessler’s picture

Here's a patch to components/email.inc that simply checks whether the domain part of the entered email address has an MX or A record. This set of DNS lookups is exactly what a typical MTA does when it, in turn, gets the handoff from the webform and attempts to validate the passed recipient address. If DNS validation fails on the form, the MTA will never be in a position of generating an email bounce, and the human entering the form gets to fix the error.

By the way, I'm pretty sure this may not be complete enough as a patch for your module's use. (I'm very new to Drupal.) I just put this out to see if it worked, and it did.

I'm also pretty sure there are going to be rare cases where DNS is having a bad day, so a more complete (and "safer") patch might include a checkbox or other human-encouraged bypass mechanism to say "really submit, despite warnings?" -- in which case the form will successfully submit and MTA will silently deal with the aftermath, as it does now.

Note that if the Drupal installation depends on a local or smarthosted (e.g. upstream) MTA, then the server that Drupal resides on most likely has to be able to resolve the domain part of the email address anyway.

jubalkessler’s picture

FileSize
675 bytes

Forgot to attach the diff.

quicksketch’s picture

Status: Active » Closed (won't fix)

I won't be adding this functionality to Webform because it seems prone to false positives especially considering the variety of software and platforms that Drupal is installed upon. I'd suggest implementing this as a separate module, that way you can leverage this same protection throughout your Drupal site, including things like user registration, comments, or the contact form.

rmcom’s picture

Title: Verify email-recipient domain please » Verify webform-submitted email address
Version: 6.x-2.7 » 6.x-3.x-dev
Status: Closed (won't fix) » Active

I would also be very interested in some form of email verification for webform email fields (including the simplenews email field) for a number of applications.

This has been a recurring feature request over the past years (e.g. 144352), but I fully share quicksketch's concern to add it to webform core.

A potential solution could be:

Integrate the functionality of the Email Verify module into Webform via an optional webform module that would allow using the Email Verify module's functionality instead of

  • patching around,
  • adding this to webform core, or
  • creating a new module.

From the Email Verify page:

This module tries to solve this problem by checking that the address really exists when it is entered by the user. First, it checks if the domain/host part exists at all, and reports an error if it does not. I found that this step alone catches between 1/2 and 2/3 of typos. Second, it tries to validate the user name too, by sending a HELO/MAIL FROM/RCPT TO chain of commands to the SMTP servers for the found host. Some hosts will not reveal if the user name is valid ("catch-all policy") while others might refuse the check for some reason (for instance, some hosts refuse deliveries from IPs delivered to home users by Internet access providers). When in doub, we try to play it safe and rather accept some invalid addresses than to refuse valid ones.

My coding skills are not at that level, but I am happy to test anything you throw at me.

quicksketch’s picture

Status: Active » Closed (won't fix)

Integrate the functionality of the Email Verify module into Webform via an optional webform module that would allow using the Email Verify module's functionality instead of

That sounds great, but working on such a module isn't what the Webform issue queue is used for. This is for features that will be included in the module itself. As I said above, we won't be including this functionality directly in the module.