Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Fri, 17 Nov 2006 14:43:30 -0500
Peter McLarty wrote:
Ok I am going to add two cents What about allowing any address but then testing it for a bounce, if it bounces then its not valid end of story. Lock the account out. I
First, there's no "account" to lock out. We're talking about dynamically authenticating unknown users at a public access point. If authentication fails users can simply try again, with a different email address. And yes, you could limit this on a per-session or MAC basis, but those things are easy to get around. Especially for the sort of people you're trying to keep out. ;-) Second, not all invalid mail addresses bounce messages in any sort of time frame that makes this usable. Some bounces take days if your MTA isn't configured otherwise. Or of another MTA isn't configured properly in some scenarios. Not all mail is delivered directly.
notice Yahoo groups will alert the user if they get an address that is bouncing and it doesn't matter if it is or was a valid account. I guess it all comes down to what it is your business driver is for doing any such thing
Absolutely. It's easy to see the attraction of running a public access point, but if you can't stand the heat of having it abused, stay out of the kitchen. In fact from a legal standpoint it might be disadvantageous to even try to fully lock down such a service depending on where you do business. It sets a precedent that you have to adhere to, while someone who might simply open up a network for public access with only a basic set of automated tools monitoring for bad things wouldn't be held to that same standard. I say again there's only two real choices here. Authenticate users prior to them connecting by creating an account based on some sort of visual/documented verification of identity like most access points do, or live with the consequences of not. :) -- Hand crafted on 17 November, 2006 at 14:22:24 EST using only the finest domestic and imported ASCII. If society fits you comfortably enough, you call it freedom. -- Robert Frost
Attachment:
signature.asc
Description:
Current thread:
- Re: Verifying E-Mail Addresses, (continued)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses AragonX (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
- Re: Verifying E-Mail Addresses tommie (Nov 15)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
- RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)