Mail Security Problems Mail.ru / SurprizingFacts

Two years ago I wrote a simple PHP script for a feedback form. Letters came to the mail mail.ru. As I found out later, there was an error in the script. In "From" I inserted the client's email address (in fact, it was forging the sender), but the letters came, and all right.

Source code:

  $ email = $ _POST ['email'];
$ Headers. = "From:". $ Email. " R  n";  

And not so long ago noticed that the applications stopped coming … Checked the form – does not work. Caused bewilderment, because no one touched anything, and two years everything worked fine. In the course of the experiments, it turned out that if you use this code:

  $ email = "Sberbank >  r  n";  

Then it is possible to forge absolutely any sender (in this case, Sberbank).



Letters come to the inbox. As spam is determined not the first time. In the Mail.ru interface, "We can not verify the authenticity of the sender" is written, but if you collect mail using a program (for example, Outlook), then there is no inscription, of course.

A key place is an additional symbol " > ". Without this letter, a letter with a forged sender, as expected, does not come. Obviously, the mail Mail.ru error in processing headers "headers.

Check this bug on Yandex. Yandex has no such problem (the letter with the forged sender does not miss even the folder "spam").

P.S. The representative of Mail.ru said "we do not consider this situation a mistake" (the exact quote), so I spread this information with a clear conscience.