Hello list,
Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?
Here's why this is a security issue. company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.
We would like to be able to do a quick check, say query an IMAP, PP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?
I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude (AT) dude (DOT) com" from getting on to our network.
Thanks,
John
This list is sponsored by: Norwich University
EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Tue, 24, 2006 at 05:02:32PM -0400, Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

At least with SMTP, there is the VRFY command. However, this is
oftentimes turned off or configured to always return true. Worth
a shot, however.

For example, with postfix's disable_vrfy_command turned off:

$ telnet spoofed.org 25
Trying a.b.c.d
Connected to spoofed.org.
Escape character is '^]'.
220 mail.spoofed.org ESMTP
vrfy root
252 2.0.0 root
vrfy warchild
252 2.0.0 warchild
vrfy blahblah
550 5.1.1 <blahblah>: Recipient address rejected: User unknown in local
recipient table
-jon

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Mister Dookie wrote:
Hello list,
>
Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Hello,

Short answer:
Both yes and no. Many SMTP servers does this kind of sender address
validation to reduce the amount of spam. You can either write a script
to do it, or you can buy a piece of software to do it (link below). I'm
sure there's free code available to do this as well. There's no way to
do it 100% safely though.

Long answer:
You cannot do it using PP3 or SMTP. There's no functionality in these
protocols which can be used for this purpose. Also, there's no way for
you to know what server to connect to. (You could of course ask the user
to enter the host and valid log on credentials for his PP3 server so
that you can confirm he exists ;)

Using the SMTP protocol, it can partially be done. The idea is that you
should simply connect to the SMTP server which hosts the email for the
user, and then ask this email server whether the address is correct or
not. Most (?) email servers will be able to tell you if an email address
is correct. But there's also many servers which will tell you that an
email address is correct, even though it is not.

For example, Hotmails SMTP servers will tell you that all addresses on
@hotmail.com are valid, even though they aren't. Microsoft.com's SMTP
severs on the other hand will behave the way you want it to, if you ask
whether fdsafdas (AT) microsoft (DOT) com exists, and it does not, Microsoft.com's
SMTP server will tell you the truth

When a SMTP server validate the sender e-mail address, this is normally
what happens:

1) The SMTP server receives an email from another SMTP server.
2) The Receiving-SMTP server checks who the email is from, for example
billg (AT) microsoft (DOT) com.
3) The Receiving-SMTP server does an DNS/MX lookup to determine which
host manages email for the senders domain (microsoft.com)
4) The Receiving-SMTP server connects to microsoft.com's SMTP server
(mailb.microsoft.com).
5) The Receiving-SMTP tells mailb.microsoft.com that it wants to send an
email to billg (AT) microsoft (DOT) com.
6) If Microsofts's SMTP server says K, the Receiving-SMTP may assume
that the address is valid. It then disconnects without sending the
message. If mailb.microsoft.com issues an error when you try to send to
billg (AT) microsoft (DOT) com, you can probably assume that the address is not valid.

A real example. Say you need to confirm that the addresses
billg (AT) microsoft (DOT) com and billgates (AT) microsoft (DOT) com are valid. First, do a
DNS/MX lookup for the domain microsoft.com:

C:\Documents and Settings\Username>nslookup
set type=mx
microsoft.com
Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = mailb.microsoft.com

Then connect to mailb.microsoft.com and ask whether the address exist

C:\Documents and Settings\Username>telnet mailb.microsoft.com 25
RECEIVE: 220 Microsoft ESMTP MAIL Service ready
SEND : helo mail.myhost.com
RECEIVE: 250 mail02.microsoft.com Hello [216.128.26.134]
SEND : MAIL FRM: <>
RECEIVE: 250 2.1.0 Sender K
SEND : RCPT T: <billgates (AT) microsoft (DOT) com>
RECEIVE: 550 5.1.1 User unknown
SEND : RCPT T: <billg (AT) microsoft (DOT) com>
RECEIVE: 250 2.1.5 Recipient K

You may be able to script the above yourself. But to be able to do this,
you need to know pretty good how the SMTP protocol works. (There's a
bunch of things which may go wrong and it's good to know which these
are). A easier way is probably to use a already existing component for it.

Commercial ones:
BSD-licensed PHP script:

(Note that I haven't tried any of these myself)

Regards,

Martin Knafve
http://hMailServer.com/

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Mister Dookie <misterdookie (AT) gmail (DOT) comsaid (on 2006/10/24):
>Is there a way to verify that an e-mail address
>(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
>(is a fake e-mail address) without actually sending a message to that
>address and awaiting the response?

It's a pretty safe bet that any modern email addresses will have an @
sign, and at least a single '.' in the domain part. A valid email domain
must have an MX record or an A record (in DNS).

Very little filtering can be done with the username part of the email. (I
am particularly annoyed by the proliferation of web forms that refuse to
accept +, :, and . as a valid characters in email usernames.) To validate
the username, you have to talk to the destination mail server. If that's
not possible, you'll have to settle for unvalidated emails.

You can get "pretty good" assurance of valid email by just talking to
the destination mail server. Remember SMTP goes something like:
220 mail.example.com Some banner message
HEL myhost.example.com
250 myhost.example.com Nice to meet you
MAIL FRM:<>
250 2.1.0 Proceed
RCPT T:<testuser (AT) example (DOT) com>

If at this point the mail server returns 250 2.1.5 (or anything besides
4xx or 5xx really) you have gotten as much assurance as reasonably
possible that the email address is valid. If you get a 550 5.1.1 message
the email is invalid. you get your answer, you can just QUIT and no
email is ever sent.

This method is imperfect. Some mail servers refuse to accept MAIL
FRM:<(even though it's in the RFC). Some domain's name server may
be nonresponsive (like dude.com appears to be :). The server may have
greylisting in effect -- in which case you'll get a 4xx temporary failure
error code that doesn't say whether the user is valid or not. Some mail
servers return 250 no matter whether the user is valid or not. The only
way to be sure is to send them an email and make them prove they received
it -- which you said, is not possible in this situation.

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Mister Dookie,

To answer your question, there are a couple different ways you can
attempt to verify an email address. If you look at some old
vulnerabilities in email systems, when enumerating users and accounts,
you will find that the SMTP protocol supports a 'VRFY' command. This
command allows you to check the respective mail server (probably
indicated by the MX record of the domain) for the queried account. You
will receive an 'K' if the address checks out. Several SMTP
implementations now prevent this type of activity and/or limit it to
authenticated users.

Another method could be to check the domain portion of the email address
to determine whether or not it is valid. You can do this by doing a
WHIS on the domain portion of the email address and checking the
contacts listed (technical contact, administrative contact, etc). If the
domain portion of the email addresses listed in the contact information
for the domain match the domain portion of the address you have, accept
it as most likely being valid. This could be scripted simply on any *nix
machine and wouldn't be a legal issue concerning the information is
public domain. Granted, you may lose some addresses because of
information hiding services that provide contact information proxying
for domains but I would bet that almost every address that checks out
would be valid.

HTH.
-K

Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, PP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude (AT) dude (DOT) com" from getting on to our network.

Thanks,
John

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic
Excellence in Information Security. program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home
life.


>
>
>

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, PP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude (AT) dude (DOT) com" from getting on to our network.

Thanks,
John

Verifying the @domain.tld part wouldn't be too difficult, you could just
do a simple dns lookup and see if there is an MX record for that domain,
so no email necessary for that. To see if what comes before the @ exists
though, you need to make an smtp connection to the mailserver, and see
if it will accept a to: for that particular address (which isn't always
a guarantee, if the mail server has a catchall), you could even drop the
connection after getting a confermation from the server (though you
might annoy a few sysadmins).

The easiest solution would be to send an email though, IMH

Nick

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Just a thought 'Reilly have a book "Building wireless community
Networks" and in it they discuss a captive portal system.
When someone connects to the wireless system they are directed to a
Log-in page. I would think you could modify the system to show a code in
a graphic image (like you see when applying for a hotmail account) and
require them to send an email with this code to you before allowing
access to the Internet. This could be automated so you would not need to
validate each user individually.
You would need to allow them to send one email before the system blocks
them.

The system in the book is called NoCatAuth and the web address in the
book is http://nocat.net the book is dated Jan 2002 and was written by
Rob Flickenger and the ISBN is 0-596-00204-1.

Andrew

Please note that all emails sent to the prime_dreamer address will NT
be read just deleted, Reply to the list and I will see it.

Tue, 2006-10-24 at 17:02 -0400, Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, PP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude (AT) dude (DOT) com" from getting on to our network.

Thanks,
John

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

Mister Dookie wrote:
Hello list,

Is there a way to verify that an e-mail address
(e.g."johnsmith (AT) company (DOT) com") is valid and exists or does not exist
(is a fake e-mail address) without actually sending a message to that
address and awaiting the response?

Here's why this is a security issue. company administers a small
"municipal-type" 802.11 network where for limited open-access the only
form of ID we require is an e-mail address and a password. We simple
don't have the resources to send out e-mails and then have
verification and so forth. We are trying to prevent users from
entering fake addresses into our system. We want at least a small
amount of accountability.

We would like to be able to do a quick check, say query an IMAP, PP3,
or SMTP and check to see if there is actually an account at that
address without sending a verification e-mail and waiting for users to
click on a link or get something that bounces back. Does something
like that exist?

I do recognize that somebody can enter a valid e-mail address that
does not belong to them, but we are trying to address one issue at a
time. At this point we are just trying to prevent people who give us
"dude (AT) dude (DOT) com" from getting on to our network.
Mister Dookie,

For acountability why do you need to confirm their email address? Why do
you care about their email address? What does teir email address provide
you in te form of accountability ie if my email is @hotmail or
bill@microdoft, does that make me accountable and why?

My only solution would be to issue them, for a fee, a 3 alphanumeric
character string and obtain their email address from them.

To use the network a user havs to authenticate within a certain time
using te string you issued to them.

So the user sends an email address on your muni network with the string
in the messge to authenticate themselves. The received email is verified
by email address and verification string against the database record you
have and if K he is granted access for this session. At the same time
the users MAC address is retrieved from the machine and added into the
database against his name. If he needs access again, he will need to
obtain a fresh alphanumeric character string from you.

You are wondering why I got the MAC address :)

Uses use different PC's and this enables me to keep track of/confirm
that the user who is entering my network, even with a different 3
character alphanumeric string, is more than likely te same person who
used the network earlier. If the same user uses a different PC, te MAC
address will be different and the network will not allow him access
until the user telephones and gets the database changed to reflect the
new MAC address, or set of MAC addresses, he uses.

HTH

Hylton

This list is sponsored by: Norwich University

EARN A MASTER F SCIENCE IN INFRMATIN ASSURANCE - NLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.