Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: MaddHatter <maddhatt+security-basics () cat pdx edu>
Date: Tue, 24 Oct 2006 19:34:46 -0700
Mister Dookie <misterdookie () gmail com> said (on 2006/10/24):
Is there a way to verify that an e-mail address (e.g."johnsmith () company com") is valid and exists or does not exist (is a fake e-mail address) without actually sending a message to that address and awaiting the response?
It's a pretty safe bet that any modern email addresses will have an @
sign, and at least a single '.' in the domain part. A valid email domain
must have an MX record or an A record (in DNS).
Very little filtering can be done with the username part of the email. (I
am particularly annoyed by the proliferation of web forms that refuse to
accept +, :, and . as a valid characters in email usernames.) To validate
the username, you have to talk to the destination mail server. If that's
not possible, you'll have to settle for unvalidated emails.
You can get "pretty good" assurance of valid email by just talking to
the destination mail server. Remember SMTP goes something like:
220 mail.example.com Some banner message
HELO myhost.example.com
250 myhost.example.com Nice to meet you
MAIL FROM:<>
250 2.1.0 Proceed
RCPT TO:<testuser () example com>
If at this point the mail server returns 250 2.1.5 (or anything besides
4xx or 5xx really) you have gotten as much assurance as reasonably
possible that the email address is valid. If you get a 550 5.1.1 message
the email is invalid. Once you get your answer, you can just QUIT and no
email is ever sent.
This method is imperfect. Some mail servers refuse to accept MAIL
FROM:<> (even though it's in the RFC). Some domain's name server may
be nonresponsive (like dude.com appears to be :). The server may have
greylisting in effect -- in which case you'll get a 4xx temporary failure
error code that doesn't say whether the user is valid or not. Some mail
servers return 250 no matter whether the user is valid or not. The only
way to be sure is to send them an email and make them prove they received
it -- which you said, is not possible in this situation.
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Current thread:
- Verifying E-Mail Addresses Mister Dookie (Oct 24)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)
- RE: Verifying E-Mail Addresses Oyesanya, Femi (Oct 25)
- Re: Verifying E-Mail Addresses Jon Hart (Oct 25)
- Re: Verifying E-Mail Addresses Martin Knafve (Oct 25)
- Re: Verifying E-Mail Addresses Saqib Ali (Oct 25)
- Re: Verifying E-Mail Addresses MaddHatter (Oct 25)
- RE: Verifying E-Mail Addresses Roger A. Grimes (Oct 25)
- Re: Verifying E-Mail Addresses Kurtis Miller (Oct 25)
- Re: Verifying E-Mail Addresses nick (Oct 25)
- Re: Verifying E-Mail Addresses Ansgar -59cobalt- Wiechers (Oct 25)
- Re: Verifying E-Mail Addresses Dave Ockwell-Jenner (Oct 25)
- Re: Verifying E-Mail Addresses Robert Inder (Oct 27)
- Re: Verifying E-Mail Addresses Roman Shirokov (Oct 27)
- Re: Verifying E-Mail Addresses Matt Lye (Oct 27)
- <Possible follow-ups>
- RE: Verifying E-Mail Addresses Krpata, Tyler (Oct 25)
- RE: Verifying E-Mail Addresses Jimmie Jones (Oct 25)
(Thread continues...)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)