Security Basics mailing list archives

Re: Verifying E-Mail Addresses

From: Martin Knafve <martin () hmailserver com>
Date: Wed, 25 Oct 2006 01:14:36 +0200

> Mister Dookie wrote:
> Hello list,
>
> Is there a way to verify that an e-mail address
> (e.g."johnsmith () company com") is valid and exists or does not exist
> (is a fake e-mail address) without actually sending a message to that
> address and awaiting the response?


Hello,

Short answer:

Both yes and no. Many SMTP servers does this kind of sender addressvalidation to reduce the amount of spam. You can either write a scriptto do it, or you can buy a piece of software to do it (link below). I'msure there's free code available to do this as well. There's no way todo it 100% safely though.


Long answer:

You cannot do it using POP3 or SMTP. There's no functionality in theseprotocols which can be used for this purpose. Also, there's no way foryou to know what server to connect to. (You could of course ask the userto enter the host and valid log on credentials for his POP3 server sothat you can confirm he exists ;)

Using the SMTP protocol, it can partially be done. The idea is that youshould simply connect to the SMTP server which hosts the email for theuser, and then ask this email server whether the address is correct ornot. Most (?) email servers will be able to tell you if an email addressis correct. But there's also many servers which will tell you that anemail address is correct, even though it is not.

For example, Hotmails SMTP servers will tell you that all addresses on@hotmail.com are valid, even though they aren't. Microsoft.com's SMTPsevers on the other hand will behave the way you want it to, if you askwhether fdsafdas () microsoft com exists, and it does not, Microsoft.com'sSMTP server will tell you the truth...

When a SMTP server validate the sender e-mail address, this is normallywhat happens:


1) The SMTP server receives an email from another SMTP server.

2) The Receiving-SMTP server checks who the email is from, for examplebillg () microsoft com.3) The Receiving-SMTP server does an DNS/MX lookup to determine whichhost manages email for the senders domain (microsoft.com)4) The Receiving-SMTP server connects to microsoft.com's SMTP server(mailb.microsoft.com).5) The Receiving-SMTP tells mailb.microsoft.com that it wants to send anemail to billg () microsoft com.6) If Microsofts's SMTP server says OK, the Receiving-SMTP may assumethat the address is valid. It then disconnects without sending themessage. If mailb.microsoft.com issues an error when you try to send tobillg () microsoft com, you can probably assume that the address is not valid.

A real example. Say you need to confirm that the addressesbillg () microsoft com and billgates () microsoft com are valid. First, do aDNS/MX lookup for the domain microsoft.com:


C:\Documents and Settings\Username>nslookup
> set type=mx
> microsoft.com
Non-authoritative answer:
microsoft.com   MX preference = 10, mail exchanger = mailb.microsoft.com

Then connect to mailb.microsoft.com and ask whether the address exist

C:\Documents and Settings\Username>telnet mailb.microsoft.com 25
RECEIVE: 220 Microsoft ESMTP MAIL Service ready
SEND   : helo mail.myhost.com
RECEIVE: 250 mail02.microsoft.com Hello [216.128.26.134]
SEND   : MAIL FROM: <>
RECEIVE: 250 2.1.0 Sender OK
SEND   : RCPT TO: <billgates () microsoft com>
RECEIVE: 550 5.1.1 User unknown
SEND   : RCPT TO: <billg () microsoft com>
RECEIVE: 250 2.1.5 Recipient OK

You may be able to script the above yourself. But to be able to do this,you need to know pretty good how the SMTP protocol works. (There's abunch of things which may go wrong and it's good to know which theseare). A easier way is probably to use a already existing component for it.


Commercial ones: http://www.componentsource.com/features/xemaila/index.html

BSD-licensed PHP script:http://freshmeat.net/projects/emailaddressvalidationcomponent/

(Note that I haven't tried any of these myself)


Regards,

Martin Knafve
http://hMailServer.com/



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Verifying E-Mail Addresses Mister Dookie (Oct 24)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)
  - RE: Verifying E-Mail Addresses Oyesanya, Femi (Oct 25)
- Re: Verifying E-Mail Addresses Jon Hart (Oct 25)
- Re: Verifying E-Mail Addresses Martin Knafve (Oct 25)
- Re: Verifying E-Mail Addresses Saqib Ali (Oct 25)
- Re: Verifying E-Mail Addresses MaddHatter (Oct 25)
- RE: Verifying E-Mail Addresses Roger A. Grimes (Oct 25)
- Re: Verifying E-Mail Addresses Kurtis Miller (Oct 25)
- Re: Verifying E-Mail Addresses nick (Oct 25)
- Re: Verifying E-Mail Addresses Ansgar -59cobalt- Wiechers (Oct 25)
- Re: Verifying E-Mail Addresses Dave Ockwell-Jenner (Oct 25)
- Re: Verifying E-Mail Addresses Robert Inder (Oct 27)
- Re: Verifying E-Mail Addresses Roman Shirokov (Oct 27)
- Re: Verifying E-Mail Addresses Matt Lye (Oct 27)

(Thread continues...)