RE: Verifying E-Mail Addresses

["Weir, Jason" <jason.weir () nhrs org>]

Couple of things here, at one time I had my mail server configured to
respond with a  "250 OK - Recipient <EMAILADDRESS>" no matter what email
address was entered, this kept the address harvesters at bay.  So make
sure your not doing that or it will act as every email address is
good... 

Second thing ISP's may not like it but it is exactly what Verizon does.
Every time an email leaves our network for a @verizon.net address, a
Verizon server immediately connects to my incoming SMTP server and does
a rcpt to: <EMAILADDRESS> to verify the address is valid...

Not sure what your setup looks like but I do an LDAP lookup on incoming
emails to verify the address is valid otherwise I disconnect the
session...

If you have AD you can easily script (Perl, PHP, etc) something that
will do the LDAP lookup..

Good luck,
Jason Weir
Systems Administrator
New Hampshire Retirement System



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Krpata, Tyler
Sent: Tuesday, October 24, 2006 6:04 PM
To: Mister Dookie; security-basics () securityfocus com
Subject: RE: Verifying E-Mail Addresses


The SMTP VRFY command is supposed to do this, but most mail servers
disable it due to privacy concerns. There's no other reliable way to do
it. In theory you might be able to write something custom that goes to
the mail server and does a "mail from/rcpt to" and checks the response,
but that may be unreliable and could potentially be frowned upon by the
ISP.

-----Original Message-----
From: Mister Dookie [mailto:misterdookie () gmail com] 
Sent: Tuesday, October 24, 2006 5:03 PM
To: security-basics () securityfocus com
Subject: Verifying E-Mail Addresses

Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith () company com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. Our company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, POP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude () dude com" from getting on to our network.

Thanks,
John

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------