Re: Verifying E-Mail Addresses

["Hylton Conacher(ZR1HPC)" <hylton () conacher co za>]

Mister Dookie wrote:
> Hello list,
>
> Is there a way to verify that an e-mail address
> (e.g."johnsmith () company com") is valid and exists or does not exist
> (is a fake e-mail address) without actually sending a message to that
> address and awaiting the response?
>
> Here's why this is a security issue. Our company administers a small
> "municipal-type" 802.11 network where for limited open-access the only
> form of ID we require is an e-mail address and a password. We simple
> don't have the resources to send out e-mails and then have
> verification and so forth. We are trying to prevent users from
> entering fake addresses into our system. We want at least a small
> amount of accountability.
>
> We would like to be able to do a quick check, say query an IMAP, POP3,
> or SMTP and check to see if there is actually an account at that
> address without sending a verification e-mail and waiting for users to
> click on a link or get something that bounces back. Does something
> like that exist?
>
> I do recognize that somebody can enter a valid e-mail address that
> does not belong to them, but we are trying to address one issue at a
> time. At this point we are just trying to prevent people who give us
> "dude () dude com" from getting on to our network.
Mister Dookie,

For acountability why do you need to confirm their email address? Why do 
you care about their email address? What does teir email address provide 
you in te form of accountability ie if my email is @hotmail or 
bill@microdoft, does that make me accountable and why?

My only solution would be to issue them, for a fee, a 3 alphanumeric 
character string and obtain their email address from them.

To use the network a user havs to authenticate within a certain time 
using te string you issued to them.

So the user sends an email address on your muni network with the string 
in the messge to authenticate themselves. The received email is verified 
by email address and verification string against the database record you 
have and if OK he is granted access for this session. At the same time 
the users MAC address is retrieved from the machine and added into the 
database against his name. If he needs access again, he will need to 
obtain a fresh alphanumeric character string from you.

You are wondering why I got the MAC address :)

Uses use different PC's and this enables me to keep track of/confirm 
that the user who is entering my network, even with a different 3 
character alphanumeric string, is more than likely te same person who 
used the network earlier. If the same user uses a different PC, te MAC 
address will be different and the network will not allow him access 
until the user telephones and gets the database changed to reflect the 
new MAC address, or set of MAC addresses, he uses.

HTH

Hylton


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------