Re: Verifying E-Mail Addresses

[Kurtis Miller <kurtis () kurtismiller com>]

Mister Dookie,

To answer your question, there are a couple different ways you can 
attempt to verify an email address. If you look at some old 
vulnerabilities in email systems, when enumerating users and accounts, 
you will find that the SMTP protocol supports a 'VRFY' command. This 
command allows you to check the respective mail server (probably 
indicated by the MX record of the domain) for the queried account. You 
will receive an 'OK' if the address checks out. Several SMTP 
implementations now prevent this type of activity and/or limit it to 
authenticated users.

Another method could be to check the domain portion of the email address 
to determine whether or not it is valid. You can do this by doing a 
WHOIS on the domain portion of the email address and checking the 
contacts listed (technical contact, administrative contact, etc). If the 
domain portion of the email addresses listed in the contact information 
for the domain match the domain portion of the address you have, accept 
it as most likely being valid. This could be scripted simply on any *nix 
machine and wouldn't be a legal issue concerning the information is 
public domain. Granted, you may lose some addresses because of 
information hiding services that provide contact information proxying 
for domains but I would bet that almost every address that checks out 
would be valid.

HTH.

-K

Mister Dookie wrote:
> Hello list,
>
> Is there a way to verify that an e-mail address
> (e.g."johnsmith () company com") is valid and exists or does not exist
> (is a fake e-mail address) without actually sending a message to that
> address and awaiting the response?
>
> Here's why this is a security issue. Our company administers a small
> "municipal-type" 802.11 network where for limited open-access the only
> form of ID we require is an e-mail address and a password. We simple
> don't have the resources to send out e-mails and then have
> verification and so forth. We are trying to prevent users from
> entering fake addresses into our system. We want at least a small
> amount of accountability.
>
> We would like to be able to do a quick check, say query an IMAP, POP3,
> or SMTP and check to see if there is actually an account at that
> address without sending a verification e-mail and waiting for users to
> click on a link or get something that bounces back. Does something
> like that exist?
>
> I do recognize that somebody can enter a valid e-mail address that
> does not belong to them, but we are trying to address one issue at a
> time. At this point we are just trying to prevent people who give us
> "dude () dude com" from getting on to our network.
>
> Thanks,
> John
>
> --------------------------------------------------------------------------- 
>
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic 
> Excellence in Information Security. Our program offers unparalleled 
> Infosec management education and the case study affords you unmatched 
> consulting experience. Using interactive e-Learning technology, you 
> can earn this esteemed degree, without disrupting your career or home 
> life.
>
> http://www.msia.norwich.edu/secfocus
> --------------------------------------------------------------------------- 

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------