Long story short:
I'm developing a form for a client who would like the submitted data to be sent to him by e-mail and have "From" field set to the address submitted by the user so it is convenient for him to reply.
His hosting company tells that they only permit his domain address in the "from" field because:

it is illegal to use forged e-mail addresses in the "from" field

The only laws I'm aware of which apply to e-mails are anti-spam laws. However I do not see them being relevant in this case because all the e-mails will be sent to one "hard coded" address which belongs to my client. So even if a user enters bogus e-mail address the only one "spammed" will be my client who requested this functionality in the first place.

Am I missing something here or his host is just too unresponsive to change the SMTP configuration and bsing me with legal stuff???

I think they are trying blow smoke up your you know what. They are probably just afraid someone will figure out a way to exploit the script with that. Using the users email in the from field is how many form processing scripts work that require a response to be sent back to the user that submitted it. That way when the email gets sent to you, you can then just reply back to it.

I do that all the time when I write scripts for clients. I've never come across a host that said anything about it.

Now if you allowed people to enter in the To address that would be another story as people would easily exploit that and send spam through it.

Originally posted by Spookster
I think they are trying blow smoke up your you know what. They are probably just afraid someone will figure out a way to exploit the script with that. Using the users email in the from field is how many form processing scripts work that require a response to be sent back to the user that submitted it. That way when the email gets sent to you, you can then just reply back to it.

I agree, I'd tell the hosting company if they won't do it you are leaving.

Hmm, do they mean illegal as by the laws, or illegal as breaking a standard? Or maybe illegal as breaking company policy...

Thank you gentlemen for confirming my thoughts.

I have never had a problem using submitted e-mail address in a From field and was quite surprised when the code I always use did not work on this particular host. Not only they disallow any addresses in a From field that do not come from my clients domain, there is no error thrown nor notification sent when "illegal" address is used. So you can imagine I'm quite POed after spending a day trying to figure out why I'm not getting any e-mails on form submission when I just copied and pasted a code that worked perfectly fine on a dosen of other servers.

They did not say "It's against our company policy" - I would have stopped any further discussion and recommended my client to change hosts - they a dime a dosen nowadays anyway. They said it is illegal (I'm leaving the name of the hosting company so others can benifit from my negative experience):

We do not allow forged email address to be used as a from because it is not
legal.

Best Regards,

General Hosting
info@generalhosting.com

Quite interesting. Of course, as mentioned in another thread here recently, it may not be a Federal law, but rather some goofy state, city , or other local jurisdiction in which the company resides that has such a law.

If you really want to know, ask them to cite the specific statute to which they are referring.

Could be interesting what their response is.

In my experience, over 80% of the time, people use "policy" and "law" as an excuse, not a reason. If you confront them, and say "Show me what your talking about, I want to see the exact policy / law / section that addresses this.", they usually can't and back down.

I got a plan with general hosting... I don't use it very much anymore, prolly gonna cancel it eventually.

I too had ran into that problem but it never really mattered that much since I was using the hosting for a personal site.

I thought I post the exchange I had with General Hosting Support since towards the end it acquired quite an entertainment value. Reminds me about all the jokes about customer support from hell:


From: "Vlad Krylov" <vlad@klproductions.com>
To: <support@generalhosting.com>
Sent: Tuesday, October 21, 2003 7:09 AM
Subject: support-contact

Dear Sir/Madam.

I'm doing web development for one of your clients, [client name], who has a SSL account ([account name])
The application involves taking a form data online and sending notification e-mail to my clients e-mail address [e-mail address]
It makes sense to set the "From" fields to the e-mail address that was submitted by a web page visitor as a point of contact. However it seems that your server is setup to allow email only with "From" field set to "[client email]". Is it possible to change this configuration to allow arbitrary e-mail address in the "From" field?
My understanding is that the current configuration is aimed at
eliminating the possibility of "spamming". Since these notification e-mails would be sent to a single address you may require either To" or "From" address to be from [client domain] domain.

Regards,

Vlad Krylov
K&L Productions
____________________________________________________

From: General Hosting Support [mailto:support@generalhosting.com]
Sent: Tuesday, October 21, 2003 4:26 PM
To: Vlad Krylov
Subject: Re: support-contact

It could be anything @[client domain]

Best Regards,

General Hosting
info@generalhosting.com
____________________________________________________

From: "Vlad Krylov" <vlad@klproductions.com>
To: "General Hosting Support" <support@generalhosting.com>
Sent: Thursday, October 23, 2003 7:05 AM
Subject: RE: support-contact

The question was can you change the configuration to allow arbitrary address in the "From" field.

Vlad Krylov
K&L Productions

_____________________________________________________

From: General Hosting Support [mailto:support@generalhosting.com]
Sent: Thursday, October 23, 2003 11:28 AM
To: Vlad Krylov
Subject: Re: support-contact

We do not allow forged email address to be used as a from because it is not legal.

Best Regards,

General Hosting
info@generalhosting.com

_____________________________________________________

From: "Vlad Krylov" <vlad@klproductions.com>
To: "General Hosting Support" <support@generalhosting.com>
Sent: Friday, October 24, 2003 7:07 AM
Subject: RE: support-contact

Can you please reference the piece of legislature you are referring to.
If that is an anti-spam law I do not see it being applied in the case I described.
Even if a site visitor gives an invalid address in a form, this e-mail will be going to the hard-coded address of my client: [client email]
Using submitted e-mail address in the From field is a common practice in form processing when the results are sent to a predetermined e-mail address.
I have never heard of any laws prohibiting it.

Vlad Krylov
K&L Productions

_____________________________________________________

From: General Hosting Support [mailto:support@generalhosting.com]
Sent: Friday, October 24, 2003 3:40 PM
To: Vlad Krylov
Subject: Re: support-contact

This is correct. Any email submitted in the form can be transmitted in the email body of the message.

Best Regards,

General Hosting
info@generalhosting.com
_____________________________________________________

From: "Vlad Krylov" <vlad@klproductions.com>
To: "General Hosting Support" <support@generalhosting.com>
Sent: Friday, October 24, 2003 6:06 PM
Subject: RE: support-contact

I know that I can transmit any information in the email body. I need to be able to set the From field to the submitted e-mail address. How about providing me with a straight answer if you can change your server configuration; or should I recommend my client to find a hosting service that is more responsive to customer needs?

Vlad Krylov
K&L Productions
_____________________________________________________

From: General Hosting Support [mailto:support@generalhosting.com]
Sent: Friday, October 24, 2003 6:32 PM
To: Vlad Krylov
Subject: Re: support-contact

Our smtp server will only allow a from email address hosted with General Hosting.

Best Regards,

General Hosting
info@generalhosting.com
_____________________________________________________

Yeah, their customer service leaves a lot to desired. I kinda think it is a couple guys in a garage because when ever you call they immedietly answer the phone... lol... or at least they used to, I havent had to call them in a long time.

Sounds like they are just trying to cover themselves on the off chance that something could possibly happen...

how are you doing this? using the mail function? i just wondered if there was a work around by opening a mail socket or something like that...

but either way, i agree with oracleguy and tell them that ur leaving unless they sort something out

Regarding the forged email, i made a nifty little PHP script that acted as an email client. In the "From" it would say whatever you specified in the form. You could be anyone and it would look real. I don't use it, I promise. It was just neat for me to make.

While we have not strayed too far from the subject....
Can anyone recommend a decent SSL host (Windows, ASP, secure SMTP, CDONTS - so I do not have to rewrite the code :p )?

It seems they are a little ahead of their time. The US congress is looking to pass an anti-spam law which includes making forged headers illegal:

http://www.internetnews.com/IAR/article.php/3097451

It doesn't sound like it will do much to stop spammers but that's beside the point. Some states do have similar laws already (and they haven't worked either).

In any case, a hosting service can impose whatever terms they want in their user acceptance policy on top of any laws that may apply to them. Requiring a local email account in the From: header is not unusual. Forged headers are not hard to spot and the true originating IP can usually be found, so they are likely to get hate mail.

What you can do is add a Reply-To: header with the email address you want replies sent to. Most email clients will use that address when the user hits the "Reply" button and it's perfectly legitimate as the headers are still accurate.

Originally posted by BrainJar
What you can do is add a Reply-To: header with the email address you want replies sent to. Most email clients will use that address when the user hits the "Reply" button and it's perfectly legitimate as the headers are still accurate.

That's a good idea, I hadn't thought of that. I dunno if you can set that header with CDONTS though.

Thank you for suggestions everyone.

Re: Setting Reply-To with CDONTS

Supposedly, this works:

Set objMail = Server.CreateObject("CDONTS.NewMail")
...
objMail.Value("Reply-To") = "myAccount@myHost.net"

Oh dear :rolleyes:

Did they even read the mails you sent them ?
Well, it appears so, but did they understand ? No.
Did they want to understand ? Not very likely.
To me it looks like they really wanted to get you wrong, every single time!

This is why I always prefer the phone over e-mails, there is much easier to stress what you want and need over phone. E-mails are often not taken as seriously and that's a shame. There are funnier things to do than spend your time waiting for someone to take your call.


Did it explicitly say you could not change the email-fields when you signed with them ?

Originally posted by Caffeine
<snip />
Did it explicitly say you could not change the email-fields when you signed with them ?

I'm redesigning a site for a client who already had an account with them. He is currently looking for a new SSL host... ;)