Security Basics mailing list archives

Re: Verifying E-Mail Addresses

From: "Jeffrey F. Bloss" <jbloss () tampabay rr com>
Date: Fri, 17 Nov 2006 14:43:30 -0500

Peter McLarty wrote:


Ok

I am going to add two cents

 
What about allowing any address but then testing it for a bounce, if
it bounces then its not valid end of story. Lock the account out. I


First, there's no "account" to lock out. We're talking about dynamically
authenticating unknown users at a public access point. If
authentication fails users can simply try again, with a different email
address. And yes, you could limit  this on a per-session or MAC basis,
but those things are easy to get around. Especially for the sort of
people you're trying to keep out. ;-)

Second, not all invalid mail addresses bounce messages in any sort of
time frame that makes this usable. Some bounces take days if your MTA
isn't configured otherwise. Or of another MTA isn't configured properly
in some scenarios. Not all mail is delivered directly.

notice Yahoo groups will alert the user if they get an address that
is bouncing and it doesn't matter if it is or was a valid account.

I guess it all comes down to what it is your business driver is for
doing any such thing


Absolutely. It's easy to see the attraction of running a public access
point, but if you can't stand the heat of having it abused, stay out
of the kitchen. In fact from a legal standpoint it might be
disadvantageous to even try to fully lock down such a service
depending on where you do business. It sets a precedent that you have
to adhere to, while someone who might simply open up a network for
public access with only a basic set of automated tools monitoring for
bad things wouldn't be held to that same standard.

I say again there's only two real choices here. Authenticate users
prior to them connecting by creating an account based on some sort of
visual/documented verification of identity like most access points do,
or live with the consequences of not. :)

-- 
Hand crafted on 17 November, 2006 at 14:22:24 EST using
only the finest domestic and imported ASCII.

If society fits you comfortably enough, you call it freedom.

                                             -- Robert Frost

Attachment: signature.asc
Description:

Current thread:

Re: Verifying E-Mail Addresses, (continued)
- Re: Verifying E-Mail Addresses Will Yonker (Nov 14)
  - Re: Verifying E-Mail Addresses tommie (Nov 15)
    - Re: Verifying E-Mail Addresses AragonX (Nov 15)
    - RE: Verifying E-Mail Addresses Isaac Van Name (Nov 15)
    - Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 16)
  - Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 15)
    - RE: Verifying E-Mail Addresses Isaac Van Name (Nov 16)
    - Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Andrew Wheeler (Nov 16)
  - Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Jeffrey F. Bloss (Nov 17)
- Re: Verifying E-Mail Addresses Hylton Conacher(ZR1HPC) (Nov 20)