RE: Verifying E-Mail Addresses

From: "Roger A. Grimes" <roger@xxxxxxxxxxxxxx>
Date: Tue, 24 Oct 2006 19:53:11 -0400

Well, there are a few ways.

If you use Windows Server 2003, you can make the user's Universal
Principal Name (UPN) suffix match the user's email domain name (which is
often the default anyway). If they then log in using their Windows logon
UPN Name (e.g. user@xxxxxxxxxx), Windows will automatically valid the
UPN name for you (and hence, what appears to be the email address to
most people).

Or if you're not using a Windows logon, but you can script or program
behind the scene, you can query the SMTP server using the VRY or EXP
command. You have to send a HELO or EHLO first, but then you can use the
VRY or EXP command to verify that the email name is valid. SMTP will
return a success or failure message, which you can capture with your
script and return into the logon function.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Mister Dookie
Sent: Tuesday, October 24, 2006 5:03 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Verifying E-Mail Addresses

Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith@xxxxxxxxxxx") is valid and exists or does not exist (is
a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. Our company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have verification
and so forth. We are trying to prevent users from entering fake
addresses into our system. We want at least a small amount of
accountability.

We would like to be able to do a quick check, say query an IMAP, POP3,
or SMTP and check to see if there is actually an account at that address
without sending a verification e-mail and waiting for users to click on
a link or get something that bounces back. Does something like that
exist?

I do recognize that somebody can enter a valid e-mail address that does
not belong to them, but we are trying to address one issue at a time. At
this point we are just trying to prevent people who give us
"dude@xxxxxxxx" from getting on to our network.

Thanks,
John

------------------------------------------------------------------------
---
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has
designated Norwich University a center of Academic Excellence in
Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting
experience.
Using interactive e-Learning technology, you can earn this esteemed
degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

References:
- Verifying E-Mail Addresses
  - From: Mister Dookie

Prev by Date: Sandboxie
Next by Date: Risk Assessment Basics
Previous by thread: Re: Verifying E-Mail Addresses
Next by thread: Re: Verifying E-Mail Addresses
Index(es):
- Date
- Thread

Relevant Pages

Thank you
... >we have one AD which has only one DC running windows 2000 Server Domain ... but the AD Domains and trusts object above it. ... You will see the UPN ...
(microsoft.public.exchange.setup)
Re: Please help - Renaming Domain Name.
... >we have one AD which has only one DC running windows 2000 Server Domain Name ... but the AD Domains and trusts object above it. ... You will see the UPN ...
(microsoft.public.exchange.setup)
SecurityFocus Microsoft Newsletter #154
... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
(Focus-Microsoft)
SecurityFocus Microsoft Newsletter #49
... Subject: SecurityFocus Microsoft Newsletter #49 ... Microsoft Windows NNTP Denial of Service Vulnerability ... Microsoft IIS SSI Buffer Overrun Privelege Elevation Vulnerability ... Microsoft ISA Server H.323 Memory Leak Denial of Service... ...
(Focus-Microsoft)
Questions Relating to Administering Windows 2000 Server
... installed the network client on the target computer. ... Sarah has been attempting to install Windows 2000 ... Server for two days. ... Sarah has checked the cables and hard drives. ...
(microsoft.public.cert.exam.mcse)