On 2022-09-05 13:27, Jaroslaw Rafa via mailop wrote:
What do you (and maybe other people on the list) think about such email
verification method ("abusing RCPT TO") used as part of:
a) mail receiving process - I'm thinking here for example about the Postfix
feature "reject_unverified_recipient" that checks sender's email using this
method before accepting (or rejecting, if sender's email doesn't verify) the
message (see http://www.postfix.org/ADDRESS_VERIFICATION_README.html ). Some
other MTAs have similar features too, there are also milters that do this.
Noone should do that, to easy to allow an attacker to get your email
server blacklisted.. And it doesn't work in the real world, for many
reasons too numerous to mention..
b) website registration process - some time ago I was maintaining some
website where people often mistyped their email addresses. Due to the nature
of the website the typical "click on confirmation link that arrives via
email" approach could not be used (the form was a part of an official
procedure, users had to fill in a lot of personal data, with email being
only one of many fields, also a lot of people filled the form on dedicated
machines available in the office that was running the website, where they
didn't have access to their email - actually, they didn't have access to
anything except the registration form). So I included the code that did the
email verification ("abusing RCPT TO") upon form submission, and in case of
a verification failure, asked the user to correct the address.
This is the only argument that holds any kind of merit, but if you want
to REALLY see if the person intended to register, send them a real
email, as in confirmed double opt-in, that they have to click on.
Otherwise, I can use your email in the web form.. it will validate as
real, but I should not be using it.
Of course, those types of forms (Signup Email Validation) CAN be used
for a script kiddy mail bomb attack. But that is a different problem.
Better web form security, and human detection on the form can prevent that.
Do you think using this method of email verification in such cases is OK or
not?
--
"Catch the Magic of Linux..."
------------------------------------------------------------------------
Michael Peddemors, President/CEO LinuxMagic Inc.
Visit us at http://www.linuxmagic.com @linuxmagic
A Wizard IT Company - For More Info http://www.wizard.ca
"LinuxMagic" a Registered TradeMark of Wizard Tower TechnoServices Ltd.
------------------------------------------------------------------------
604-682-0300 Beautiful British Columbia, Canada
This email and any electronic data contained are confidential and intended
solely for the use of the individual or entity to which they are addressed.
Please note that any views or opinions presented in this email are solely
those of the author and are not intended to represent those of the company.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
