On 2022-09-05 at 16:27:13 UTC-0400 (Mon, 5 Sep 2022 22:27:13 +0200)
Jaroslaw Rafa via mailop <r...@rafa.eu.org>
is rumored to have said:
Dnia 5.09.2022 o godz. 22:39:01 Atro Tossavainen via mailop pisze:
So do all the ESPs. But their customers send mail, and the recipients
are able to act upon it, informing the ESP of problem clients and
sometimes even getting traction.
In the case of email verifiers, there is no message, and there is no
email recipient to do the same.
The only people who have any visibility to the efforts of woodpeckers
who abuse SMTP (EXPN and VRFY were disabled and even removed from
mail
software for a reason) are grumpy mail server admins who have much
less
time than your average spam recipient for this kind of behaviour.
"Email verification" abusing RCPT TO produces zero benefits in
exchange
for nonzero resource use for the target system owners.
Regarding the above, I have the following question:
What do you (and maybe other people on the list) think about such
email
verification method ("abusing RCPT TO") used as part of:
a) mail receiving process - I'm thinking here for example about the
Postfix
feature "reject_unverified_recipient" that checks sender's email using
this
method before accepting (or rejecting, if sender's email doesn't
verify) the
message (see http://www.postfix.org/ADDRESS_VERIFICATION_README.html
). Some
other MTAs have similar features too, there are also milters that do
this.
Fine. You're responsible for delivering mail submitted to you, and it is
entirely reasonable to confirm that the entity you are accepting it from
has provided a usable address. What Postfix then does to verify it is
exactly what would be done if a message was simply accepted without
verification.
b) website registration process - some time ago I was maintaining some
website where people often mistyped their email addresses. Due to the
nature
of the website the typical "click on confirmation link that arrives
via
email" approach could not be used (the form was a part of an official
procedure, users had to fill in a lot of personal data, with email
being
only one of many fields, also a lot of people filled the form on
dedicated
machines available in the office that was running the website, where
they
didn't have access to their email - actually, they didn't have access
to
anything except the registration form). So I included the code that
did the
email verification ("abusing RCPT TO") upon form submission, and in
case of
a verification failure, asked the user to correct the address.
This is a bit less clear, but I'd say that is fine because you have
every reason to believe that you are acting on behalf of the address
owner, not some 3rd party who may not have acquired the address
legitimately.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
