If I have a mail system sampleMail.com with 100 users. There are 10 less-privileged users. I want to restrict less-privileged users such that they can send mail only to a group of selected FIVE mail ids in sampleMail.com, not to any other mail ID.
How to implement it?
Please help.
Related
I'm making a web app where you pay to use it first and then sign in. The sign up workflow is this:
Once a payment is made on my website, the client receives an order ID that is associated with their email address. The client sends this to a Firebase Function endpoint to activate their order.
The Firebase Function checks the order ID is valid and creates a Firebase user with a long random password (to prevent anyone from signing in), then sends a password reset email. A "payment" record is created in Firestore and associated with the user ID.
The user follows the password reset email then logs into my app. The paid features are activated if Firestore contains a payment associated with that user ID.
This all seems fine except:
A malicious user Bob could outside of my control creates a user for email "x#example.com" that he doesn't own and sign in using the Firebase client SDK.
Alice then makes a payment for her email "x#example.com".
Bob will still be signed in and can now use the features Alice paid for.
How do I prevent this?
One idea I had was the above Firebase Function could check if user "x#example.com" exists with an unverified email address and if so it would 1) delete that user and 2) create a user for that email address again (creating a new unique user ID). Bob would then have a different user ID than the one associated with the email address so couldn't access the payment record. However, this breaks if Alice makes two payments without validating her email after the first payment. What's a robust way of solving this?
Consider verifying the email before processing the transaction.
One option is to use sign in with email link. This will sign in the user and verify their email. You can also set a password after if you want. If an existing unverified provider is linked to the account, it will be unlinked and any existing session that a malicious user had previously set up will be revoked.
Email is sent using Amazon simple Email service form my website. When an email is sent to any Yahoo or Gmail address, it is delivered to Inbox; but when it is sent to Hotmail,it is delivered to Junk.
Why only Hotmail Treats my email as junk?
When an external user sends email messages to an Outlook.com account,
SmartScreen® filter technology evaluates the content of the messages
and assigns each message a rating based on the probability that it is
a junk email. This rating is stored as a message property called a
spam confidence level (SCL) within the message itself. The SCL rating
stays with the message as it is sent to other anti-spam protection
layers within Outlook.com. Rules inside Outlook.com are set to handle
email messages with various SCL ratings. If a message has an SCL
rating lower than a certain threshold, it is considered to be spam,
and a rule then deletes the message rather than sending it to the
user's junk email folder. If the message has a higher SCL rating than
the threshold, the email is delivered to the user's junk email folder
rather than to the inbox.
https://mail.live.com/mail/junkemail.aspx
Not all the Anti-Spam system depends only on 3rd party blacklists. Major email service providers builds their own reputation table in addition with the use of major 3rd party blacklists like spamhaus, barracuda etc. In your case, you are using Amazon SES to send mails.
I, myself found enormous marketing mails coming from Amazon SES. If the reputation of your email service provider is bad in hotmail then it may trigger the suspicious level of your mail regardless of your email service provider reputation at other blacklist providers. In addition to this, if your subject, body content contains some suspicious words then your mail will end up in junk folder.
Most emails sent from third party applications such as Wordpress, Joomla, or Amazon get diverted to junk and sometimes they fail and get stuck behind a security layer. I know for a fact with Wordpress Contact Form 7, this is the case many times.
After so many years and finally attending a seminar for this particular issue, I finally was able to solve this problem specifically for Hotmail (Outlook.com).
Before you do anything ensure your SMTP settings in your web config file (ASP.NET) are written correctly or in case of plugins (Wordpress) make sure the fields are filled correctly. This means ensuring these are the settings you are using for Outlook:
From: your email ("asdf#outlook.com")
From Name: "Your name or company name"
Host: smtp.live.com
Type of Encryption: TLS
SMTP Port: 587
SMTP Authentication: Yes
Username: Same you use to login (usually the complete email address)
Password: Enough said there
IMPORTANT - Send a test email even if it fails. The point is to trigger an activity in Outlook and have them flag it as an
unauthorized connection
Now, to the fix:
Go to Outlook.com
Login
go to Account Settings
Choose Security & Privacy
Click on "See my recent activity"
The most recent activity should be the fail attempt. Authorize it as a trusted connection.
Done!
Re-test and you shall see your emails showing in the inbox as an authorized connection. Doing these steps let Outlook know that your emails from Amazon are legitimate connections and not Amazon trying to spam your account with solicitations etc.
Mostly it is a email service provider specific thing but you can do below checks
Ensure valid sender email address
Try not to use keywords like gift, prize etc. which are preferably spam activities
Try using https://litmus.com which may help on this/ rendering email in different email clients
Given the following scenario:
I have an email address.
I want the owner of that email address to click on a link that I send to him by email.
The page that I want the user to visit must be protected by a password, this password can be included in the mail that I send to him.
The site that the user is interacting with is using the simple membership provider for the regular users, but I don't want to use that system for this special one time visitor, as it leads to more tasks administering and cleaning up.
What are my alternatives?
When you send the email to the user, generate a random password and save it in the table against the email address. You will also store some unique id that you will pass it to the link you provide in the email. This unique id in the url will be used to identify the email address and also the one time password (OTP). It is also better to have an expiry date for the password. So your database table will have the following columns.
Unique Link Id
Email address
One Time Password
Expiry Date
That's it. When the link is clicked, access the unique id, ask OTP to the user and validate.
I created a website using symfony2 I installed and setup fosuserbundle and it works perfectly.
I have users with the previlege manager and I would like them to be able to send email invitations to other users in order to register to my site but to a very specific usergroup same as the invitation sender .
what is the best approach to do this ?
thanks in advance .
the only way i can think of is that you'd have to keep track of the invatations, so an entity of who the inviter is, who the recipient is (email address and name if provided), and a random unique token of about 25 characters so that you can look up do a reverse lookup on who the inviter is when they accept the invite. This way you can automatically assign them a user group based on who the inviter is.
I am developing a software but for that I want to know as if i send an email then how can i check the sent email is in recipient's inbox/ Junk.
I am using AsP.net and c# technology for this
Please reply
You can't detect what is done with the email once it is delivered to the users inbox other than requesting a delivery receipt and a read receipt but the user can opt out of these.
The best way to avoid being marked as spam is to use a trusted third party service such as Campaign Monitor or MailChimp.
Failing that you should make sure that your email has a proper from address set, that you have set up SPF records to allow the sending IP official permission to send email on behalf of the from domain, keep your html to content ratio reasonable and if possible use an email address that your customers have already received an email from before so that there is a higher chance that the address is already in a whitelist.
You really can't because there are many different email spam solutions out there and they don't send a status back saying whether they delivered the email to the recipient or not. What you can do is send an email with a tracker to see if the receiver opened it.
http://www.aspnetemail.com/samples/emailtracker/default.aspx