|
|
Posted by Gordon Burditt on 10/13/16 11:19
>Without sending mail, you can check whether the domain has a valid DNS
>entry or even it the server is up and running. It's really hard to check
>whether the domain is registered and it's impossible to check whether a
>mailbox exists: the VRFY SMTP command is disabled for security/privacy
>reasons in many mail servers.
If the domain isn't registered, it won't have a MX record or an A
record in DNS. This is easy to check, and it's done every time a
mail server tries to send mail to determine WHERE to send it. I
also suggest you reject as invalid a MX or A record that points to
a bogus IP address (e.g. 127.0.0.1, or an IP in private address
space).
Try to send a bounce message to that email address.
Look up MX server.
HELO my.host.name
MAIL FROM:<>
RCPT TO:<email@Im.testing>
QUIT
Stop short of actually sending a body. This is what Exim callout
verify does. And note that "VRFY" doesn't appear anywhere in
the conversation. This does have some problems:
(1) FALSE POSITIVE: some servers accept anything during the SMTP
conversation and bounce it later. However, at least you checked
that there IS a server in DNS to send it to. And quite a few
servers do check on the spot.
(2) FALSE NEGATIVE: some servers don't accept bounce messages
(MAIL FROM:<>) at all.
(3) If the server (or various DNS servers) is down at the point you
try the test, you get a temporary failure. Handing back a temporary
failure to a mail server trying to send IN the message (which Exim
callout verify does) is generally not a problem: the sender will
retry. Handing back a temporary failure on a web page is more
likely to be seen as a problem.
>So you can work a lot to create a validation system that offers unreliable
>results or you can write a very simple random code system that works 99% of
>the time*.
The random code system defends against bots, not against people
who enter fake email addresses. How important this is depends
on why you want to check for a valid email address. If the problem
is relay-raping, the random code is a good solution. If you want to
verify that the person can actually RECEIVE email at the address
they gave, sending a confirmation email with a link they need to
click on is fairly effective.[1]
>(*) Some mail servers lose mail due to incorrectly configured antispam
>systems.
And some mail servers lose mail in the spool when the hard disk has
a head crash.
[1] A few anti-spam systems can be configured to effectively click
on every link in every email to filter the web page as though it
were part of the email, looking for, for example, phishing scams.
How many admins actually do this, I don't know. It seems like
a lot of emails with links to unreachable sites would have the effect
of a denial-of-service-attack on the site doing the filtering.
Gordon L. Burditt
Navigation:
[Reply to this message]
|