WordPress should not send mail from fake “wordpress@” address

I just create an alias for my [email protected]. It’s just easier and I get replies back to a real account.

anti-spam systems that check the validity of the sender address will fail (I’ve actually seen this happen).

Then get another anti-spam system. Whitelisting names is just another way to guarantee that mail does not get delivered. Also, how exactly do you check the validity of a sender address? Sender domain is easy to check, but the sender within the domain?

When PHP is using sendmail (which most are), it’s better to not specify the sender address at all; most hosting environments are (or should be) configured with a reasonable working default.

That would fall under the idea of DIAW. If a mail server gets a badly formed address, it may append the domain for the sender, but you need to have something. If it defaults to the user ID of the web server process (such as apache2 or www-data) how is that better than [email protected]?

I just create an alias for my [email protected]. It’s just easier and I get replies back to a real account.

Yes, that works fine. However, the WordPress instructions do not tell people to do this; if creating an e-mail address before installing WordPress is the solution (I hope it’s not), they should.

Then get another anti-spam system.

As it happens, I’m not complaining about my setup. It works fine for me. I’m complaining on behalf of other people who might not want to replace their anti-spam system just so they can get this message… especially since their anti-spam systems are doing what they’re supposed to (detecting forged sender addresses on a message — in this case, wordpress@<domain_name>).

Also, how exactly do you check the validity of a sender address? Sender domain is easy to check, but the sender within the domain?

Many inbound anti-spam systems do this by making a “callback” to the sending server and performing “HELO / MAIL FROM <> / RCPT TO <address> / QUIT” steps, checking that “RCPT TO <address>” works.

And many outbound mail systems have a list of valid “From” addresses that exist on the system, rejecting others (this is a good way of stopping compromised scripts from spewing spam).

If it defaults to the user ID of the web server process (such as apache2 or www-data) how is that better than [email protected]?

It’s far better. The default mail() address on any properly configured system should be a valid address that’s allowed to send mail. wordpress@<domain_name> probably isn’t.

Again, it’s simply not okay to make up fake e-mail addresses these days. It’s not 1988 any more. Forged e-mail is one of the biggest problems on the Internet, and more and more systems detect and block it in all sorts of ways, both on the outgoing and incoming ends.

Scripts that send mail should either use the default address or ask the user for a valid address.

There have beeen discussions about this before and I expect there will be more later. Basically whichever way it gets set up can cause problems in certain environments. See this bug trac ticket.