Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mailtester.com false negatives? #8

Closed
0xmilan opened this issue Jan 4, 2020 · 6 comments
Closed

mailtester.com false negatives? #8

0xmilan opened this issue Jan 4, 2020 · 6 comments
Labels
bug

Comments

@0xmilan
Copy link
Contributor

0xmilan commented Jan 4, 2020

Hi,

I don't think I ever got a positive results for the RFC 2142 check.
Could it be possible that mailtester.com is blocked on major email service providers?

As an example, run contact.sh on arduino.cc:
./contact.sh -d arduino.cc
contact sh

The tool finds security.txt which states that the security@ address should be used.
Still, the mailtester.com check says that security@arduino.cc is not valid.

Manually checking the email address on mailtester.com gives the following result:
mailtester

"The user you are trying to contact is receiving mail at a rate that prevents additional messages from being delivered. Please resend your message at a later time. If the user is able to receive mail at that time, your message will be delivered. For more information, please visit https://support.google.com/..."

Sounds like Google is blocking this service from enumerating email addresses?
Sending an email to security@arduino.cc simply through gmail gives no errors.
@EdOverflow
Copy link
Owner

Yes, you are right. Some mail servers do not allow mailtester.com to validate mail addresses. As you pointed out, that is why you are seeing that error message. It works in some cases though as illustrated below:

image

Please let me know if you experience any issues with the example above.

@EdOverflow EdOverflow added the bug label Jan 4, 2020
@0xmilan
Copy link
Contributor Author

0xmilan commented Jan 4, 2020
edited
Loading

I get the same results as your screenshot with manually checking at https://mailtester.com/index.php.
However, contact.sh has the following output:

[+] Doing an RFC 2142 check (security@amazon.com) 
 | Confidence level: ★ ★ ☆ 
security@amazon.com is not valid.

Running the curl command, this is the response:

<html>
<head><title>302 Found</title></head>
<body bgcolor="white">
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.6.2</center>
</body>
</html>

grep will never find "E-mail address is valid" in that :)

Change the URL to https://mailtester.com/index.php and you get a valid response:

curl --max-time 9 -X POST --silent https://mailtester.com/index.php -d "email=security@amazon.com" | grep "E-mail address is valid" 
<td bgcolor="#00DD00">E-mail address is valid</td></tr>

Edit:
Actually, testmail.php works too. The redirect was simply happening because of HTTP > HTTPS.

@EdOverflow
Copy link
Owner

Ah, looks like they may have introduced a redirect since I first wrote this tool. Thank you for pointing that out. Should be an easy fix. :)

@0xmilan
Copy link
Contributor Author

0xmilan commented Jan 5, 2020

Yep, I just changed http to https for the mailtester.com request and it works fine with amazon.com.

@EdOverflow
Copy link
Owner

I think this issue should be fixed now. Thank you for taking the time to submit an issue ticket, @milangfx! :)

@0xmilan
Copy link
Contributor Author

0xmilan commented Jan 7, 2020

Thanks for the fix :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@0xmilan @EdOverflow