Re: Verifying E-Mail Addresses

Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith@xxxxxxxxxxx") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. Our company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, POP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude@xxxxxxxx" from getting on to our network.

Thanks,
John

Verifying the @domain.tld part wouldn't be too difficult, you could just do a simple dns lookup and see if there is an MX record for that domain, so no email necessary for that. To see if what comes before the @ exists though, you need to make an smtp connection to the mailserver, and see if it will accept a to: for that particular address (which isn't always a guarantee, if the mail server has a catchall), you could even drop the connection after getting a confermation from the server (though you might annoy a few sysadmins).

The easiest solution would be to send an email though, IMHO.

Nick


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Relevant Pages

  • Re: Verifying E-Mail Addresses
    ... (is a fake e-mail address) ... the mail bounces the address was invalid, else the owner of the ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Verifying E-Mail Addresses
    ... (is a fake e-mail address) ... amount of accountability. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence in Information Security. ...
    (Security-Basics)
  • Re: Verifying E-Mail Addresses
    ... (is a fake e-mail address) ... EXPN (i.e. VRFY username) and look for the answer. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)
  • Re: Verifying E-Mail Addresses
    ... The "best-effort" I can think of is to verify that the domain part is correctly configured for e-mail in DNS. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence in Information Security. ...
    (Security-Basics)
  • Re: Verifying E-Mail Addresses
    ... The security issue would be if one could verify 3rd party email addresses. ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ... The NSA has designated Norwich University a center of Academic Excellence ...
    (Security-Basics)