Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: MaddHatter <maddhatt+security-basics () cat pdx edu>
Date: Tue, 24 Oct 2006 19:34:46 -0700
Mister Dookie <misterdookie () gmail com> said (on 2006/10/24):
Is there a way to verify that an e-mail address (e.g."johnsmith () company com") is valid and exists or does not exist (is a fake e-mail address) without actually sending a message to that address and awaiting the response?
It's a pretty safe bet that any modern email addresses will have an @ sign, and at least a single '.' in the domain part. A valid email domain must have an MX record or an A record (in DNS). Very little filtering can be done with the username part of the email. (I am particularly annoyed by the proliferation of web forms that refuse to accept +, :, and . as a valid characters in email usernames.) To validate the username, you have to talk to the destination mail server. If that's not possible, you'll have to settle for unvalidated emails. You can get "pretty good" assurance of valid email by just talking to the destination mail server. Remember SMTP goes something like: 220 mail.example.com Some banner message HELO myhost.example.com 250 myhost.example.com Nice to meet you MAIL FROM:<> 250 2.1.0 Proceed RCPT TO:<testuser () example com> If at this point the mail server returns 250 2.1.5 (or anything besides 4xx or 5xx really) you have gotten as much assurance as reasonably possible that the email address is valid. If you get a 550 5.1.1 message the email is invalid. Once you get your answer, you can just QUIT and no email is ever sent. This method is imperfect. Some mail servers refuse to accept MAIL FROM:<> (even though it's in the RFC). Some domain's name server may be nonresponsive (like dude.com appears to be :). The server may have greylisting in effect -- in which case you'll get a 4xx temporary failure error code that doesn't say whether the user is valid or not. Some mail servers return 250 no matter whether the user is valid or not. The only way to be sure is to send them an email and make them prove they received it -- which you said, is not possible in this situation. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Verifying E-Mail Addresses Mister Dookie (Oct 24)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)
- RE: Verifying E-Mail Addresses Oyesanya, Femi (Oct 25)
- Re: Verifying E-Mail Addresses Jon Hart (Oct 25)
- Re: Verifying E-Mail Addresses Martin Knafve (Oct 25)
- Re: Verifying E-Mail Addresses Saqib Ali (Oct 25)
- Re: Verifying E-Mail Addresses MaddHatter (Oct 25)
- RE: Verifying E-Mail Addresses Roger A. Grimes (Oct 25)
- Re: Verifying E-Mail Addresses Kurtis Miller (Oct 25)
- Re: Verifying E-Mail Addresses nick (Oct 25)
- Re: Verifying E-Mail Addresses Ansgar -59cobalt- Wiechers (Oct 25)
- Re: Verifying E-Mail Addresses Dave Ockwell-Jenner (Oct 25)
- Re: Verifying E-Mail Addresses Robert Inder (Oct 27)
- Re: Verifying E-Mail Addresses Roman Shirokov (Oct 27)
- Re: Verifying E-Mail Addresses Matt Lye (Oct 27)
- <Possible follow-ups>
- RE: Verifying E-Mail Addresses Krpata, Tyler (Oct 25)
- RE: Verifying E-Mail Addresses Jimmie Jones (Oct 25)
(Thread continues...)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)