Security Basics mailing list archives
Re: Verifying E-Mail Addresses
From: Kurtis Miller <kurtis () kurtismiller com>
Date: Tue, 24 Oct 2006 20:21:12 -0500
Mister Dookie,To answer your question, there are a couple different ways you can attempt to verify an email address. If you look at some old vulnerabilities in email systems, when enumerating users and accounts, you will find that the SMTP protocol supports a 'VRFY' command. This command allows you to check the respective mail server (probably indicated by the MX record of the domain) for the queried account. You will receive an 'OK' if the address checks out. Several SMTP implementations now prevent this type of activity and/or limit it to authenticated users.
Another method could be to check the domain portion of the email address to determine whether or not it is valid. You can do this by doing a WHOIS on the domain portion of the email address and checking the contacts listed (technical contact, administrative contact, etc). If the domain portion of the email addresses listed in the contact information for the domain match the domain portion of the address you have, accept it as most likely being valid. This could be scripted simply on any *nix machine and wouldn't be a legal issue concerning the information is public domain. Granted, you may lose some addresses because of information hiding services that provide contact information proxying for domains but I would bet that almost every address that checks out would be valid.
HTH. -K Mister Dookie wrote:
Hello list, Is there a way to verify that an e-mail address (e.g."johnsmith () company com") is valid and exists or does not exist (is a fake e-mail address) without actually sending a message to that address and awaiting the response? Here's why this is a security issue. Our company administers a small "municipal-type" 802.11 network where for limited open-access the only form of ID we require is an e-mail address and a password. We simple don't have the resources to send out e-mails and then have verification and so forth. We are trying to prevent users from entering fake addresses into our system. We want at least a small amount of accountability. We would like to be able to do a quick check, say query an IMAP, POP3, or SMTP and check to see if there is actually an account at that address without sending a verification e-mail and waiting for users to click on a link or get something that bounces back. Does something like that exist? I do recognize that somebody can enter a valid e-mail address that does not belong to them, but we are trying to address one issue at a time. At this point we are just trying to prevent people who give us "dude () dude com" from getting on to our network. Thanks, John---------------------------------------------------------------------------This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Verifying E-Mail Addresses Mister Dookie (Oct 24)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)
- RE: Verifying E-Mail Addresses Oyesanya, Femi (Oct 25)
- Re: Verifying E-Mail Addresses Jon Hart (Oct 25)
- Re: Verifying E-Mail Addresses Martin Knafve (Oct 25)
- Re: Verifying E-Mail Addresses Saqib Ali (Oct 25)
- Re: Verifying E-Mail Addresses MaddHatter (Oct 25)
- RE: Verifying E-Mail Addresses Roger A. Grimes (Oct 25)
- Re: Verifying E-Mail Addresses Kurtis Miller (Oct 25)
- Re: Verifying E-Mail Addresses nick (Oct 25)
- Re: Verifying E-Mail Addresses Ansgar -59cobalt- Wiechers (Oct 25)
- Re: Verifying E-Mail Addresses Dave Ockwell-Jenner (Oct 25)
- Re: Verifying E-Mail Addresses Robert Inder (Oct 27)
- Re: Verifying E-Mail Addresses Roman Shirokov (Oct 27)
- Re: Verifying E-Mail Addresses Matt Lye (Oct 27)
- <Possible follow-ups>
- RE: Verifying E-Mail Addresses Krpata, Tyler (Oct 25)
- RE: Verifying E-Mail Addresses Jimmie Jones (Oct 25)
- RE: Verifying E-Mail Addresses Weir, Jason (Oct 25)
- Re: Verifying E-Mail Addresses kenneth_z (Oct 25)
(Thread continues...)
- Re: Verifying E-Mail Addresses Shane Warner (Oct 25)