Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: Martin Knafve <martin () hmailserver com>
Date: Wed, 25 Oct 2006 01:14:36 +0200
> Mister Dookie wrote: > Hello list, > > Is there a way to verify that an e-mail address > (e.g."johnsmith () company com") is valid and exists or does not exist > (is a fake e-mail address) without actually sending a message to that > address and awaiting the response? Hello, Short answer:Both yes and no. Many SMTP servers does this kind of sender address validation to reduce the amount of spam. You can either write a script to do it, or you can buy a piece of software to do it (link below). I'm sure there's free code available to do this as well. There's no way to do it 100% safely though.
Long answer:You cannot do it using POP3 or SMTP. There's no functionality in these protocols which can be used for this purpose. Also, there's no way for you to know what server to connect to. (You could of course ask the user to enter the host and valid log on credentials for his POP3 server so that you can confirm he exists ;)
Using the SMTP protocol, it can partially be done. The idea is that you should simply connect to the SMTP server which hosts the email for the user, and then ask this email server whether the address is correct or not. Most (?) email servers will be able to tell you if an email address is correct. But there's also many servers which will tell you that an email address is correct, even though it is not.
For example, Hotmails SMTP servers will tell you that all addresses on @hotmail.com are valid, even though they aren't. Microsoft.com's SMTP severs on the other hand will behave the way you want it to, if you ask whether fdsafdas () microsoft com exists, and it does not, Microsoft.com's SMTP server will tell you the truth...
When a SMTP server validate the sender e-mail address, this is normally what happens:
1) The SMTP server receives an email from another SMTP server.2) The Receiving-SMTP server checks who the email is from, for example billg () microsoft com. 3) The Receiving-SMTP server does an DNS/MX lookup to determine which host manages email for the senders domain (microsoft.com) 4) The Receiving-SMTP server connects to microsoft.com's SMTP server (mailb.microsoft.com). 5) The Receiving-SMTP tells mailb.microsoft.com that it wants to send an email to billg () microsoft com. 6) If Microsofts's SMTP server says OK, the Receiving-SMTP may assume that the address is valid. It then disconnects without sending the message. If mailb.microsoft.com issues an error when you try to send to billg () microsoft com, you can probably assume that the address is not valid.
A real example. Say you need to confirm that the addresses billg () microsoft com and billgates () microsoft com are valid. First, do a DNS/MX lookup for the domain microsoft.com:
C:\Documents and Settings\Username>nslookup > set type=mx > microsoft.com Non-authoritative answer: microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com Then connect to mailb.microsoft.com and ask whether the address exist C:\Documents and Settings\Username>telnet mailb.microsoft.com 25 RECEIVE: 220 Microsoft ESMTP MAIL Service ready SEND : helo mail.myhost.com RECEIVE: 250 mail02.microsoft.com Hello [216.128.26.134] SEND : MAIL FROM: <> RECEIVE: 250 2.1.0 Sender OK SEND : RCPT TO: <billgates () microsoft com> RECEIVE: 550 5.1.1 User unknown SEND : RCPT TO: <billg () microsoft com> RECEIVE: 250 2.1.5 Recipient OKYou may be able to script the above yourself. But to be able to do this, you need to know pretty good how the SMTP protocol works. (There's a bunch of things which may go wrong and it's good to know which these are). A easier way is probably to use a already existing component for it.
Commercial ones: http://www.componentsource.com/features/xemaila/index.htmlBSD-licensed PHP script: http://freshmeat.net/projects/emailaddressvalidationcomponent/
(Note that I haven't tried any of these myself) Regards, Martin Knafve http://hMailServer.com/ --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Verifying E-Mail Addresses Mister Dookie (Oct 24)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)
- RE: Verifying E-Mail Addresses Oyesanya, Femi (Oct 25)
- Re: Verifying E-Mail Addresses Jon Hart (Oct 25)
- Re: Verifying E-Mail Addresses Martin Knafve (Oct 25)
- Re: Verifying E-Mail Addresses Saqib Ali (Oct 25)
- Re: Verifying E-Mail Addresses MaddHatter (Oct 25)
- RE: Verifying E-Mail Addresses Roger A. Grimes (Oct 25)
- Re: Verifying E-Mail Addresses Kurtis Miller (Oct 25)
- Re: Verifying E-Mail Addresses nick (Oct 25)
- Re: Verifying E-Mail Addresses Ansgar -59cobalt- Wiechers (Oct 25)
- Re: Verifying E-Mail Addresses Dave Ockwell-Jenner (Oct 25)
- Re: Verifying E-Mail Addresses Robert Inder (Oct 27)
- Re: Verifying E-Mail Addresses Roman Shirokov (Oct 27)
- Re: Verifying E-Mail Addresses Matt Lye (Oct 27)
(Thread continues...)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)