Geek Answers Handbook

Accept image files by email from any address.

I am trying to create a service in which someone can send an image file from an email / client address and process it. Think of the service as a bit like Flickr , which shows an image in the control panel that arrives via email

In terms of ease of use, this mechanic offers a great advantage, but I want to understand the security implications of such an action . Some problems:

  • I need to check all these files as images
  • Perhaps people may send an exploit / code file, which may be a problem. But in my case, I'm basically going to make the file open and save and let the browser display the image

Am I right here? Are there any serious consequences that I should be?

+8
security file email transfer
source share
3 answers

What you should do and take into account.

  • Make sure your mail server is configured for virus scanning, update it. This will be the first line of defense.

  • When an email arrives, try to process the image in the famous rock-massive library.

  • Keep in mind that many emails contain several images, some of which may have nothing to do with the one they send. For example, our company emails include our logo below. I'm not quite sure what this decision is, but you want to take it into account.

  • Different email clients handle image attachments, well, differently. Sometimes it’s like a normal attachment, sometimes it is built into the body. Even within the same client, the image can be processed differently depending on whether they sent a letter in the form of text with attachments or HTML-mail.

  • People will test your system. They will send .js files, they will send images with header headers to overflow the image processing library ...

  • Consider applying specific email restrictions, such as SPF Validation .

  • Get ready to get absolutely huge images. Today, cameras take very large photographs, and many people do not know what culture or resizing means. You might want to set a limit of 15 MB or more for each email address arriving at your server. Then, in combination with C # 2 above, automatically resizing images to something more acceptable.

  • Define the mechanism that you really want to use to notify the user of any problems. Keep in mind that this mechanism is prone to abuse. For example, consider a spam message sent to your computer with a response to the headers coming to the victim.

If you are using .net, see this for a possible way to confirm the file - this is an image: How to determine if a file is an image file in .NET?

+7
source share

I'm not saying that it is 100% safe (can you ever be 100% safe?), But here is something you can try:

Suppose you have an alias for your postfix (or any other mail system) that redirects incoming messages to a php / bash / python script for further processing.

The first thing I would like to do is use the image manipulation library (say imagemagick) and convert all incoming files to .png format or something else, and just continue your logic if the conversion is successful.

Thus, if someone sends you any malicious attachments (php exploit, jar's, swf's, anything), the conversion will fail and, therefore, it will be ignored by your system.

Edit: ImageMagick has an "ident" command that does exactly what you want.

+6
source share

Emails can be easily spoofed , which means that I can send an email from an email address that does not belong to me.

It may also help: A safe way to load images in PHP ...

+3
source share

More articles:


All Articles