On 6/27/25 10:57 AM, Support 3Hound via mailop wrote: I reply to this message but consider this as an answer to many of the last replies.
You are totally out of topic, you are so used to deal with online fraud that you are founding them even where there aren't. I'm just searching for improve checks to help a correct data entry. You might be doing it for legitimate reasons, but there's plenty of scenarios where that can be abused, and for most of us on this list, it's literally our job to think about those, and make sure they don't happen. Anyway, just to be clear at all: 1) the physical address is where the selling agent (employee of our customer) go to get the signed contract, so it is already verified, it get also verified with the national energy hub database during our flow 2) the phone number is the number that the end-user left to be contacted for an appointment so it's already verified 3) the e-mail address is taken with all other user data on the paper contract (to be specific it's a contract proposal) 4) people ask for this service and wait for the agent at their home, they give ID documents copy and personal data so they don't insert [email protected]<mailto:[email protected]> or mailinator addresses; there is a person there that check (at his best) that the e-mail address is written correctly, that the domain is not @google.com and that the person take the address from a trust-able source (eg. their device login, or the old energy invoice). 5) the only very rare cases when the e-mail was wrong was due typo of the employee About the fact that we (actually our customer) should not accept a selling agreement... Every energetic company that pay money to their dealers in order to get new customers, ask them not to contact their new customer. Commercially that's a way to protect their new customers and their investment but it's also involved with an on-boarding flow that must follows a specific passages, regulation/laws, ethic code, avoiding to boring the new customer. I haven't any knowledge of that flow but I think the digital signing procedure link is one of the first step and need to be sent by e-mail. So if the user is not the correct one or the address is not right it comes to they attention very soon. So, before say we sign bad agreement, that we need to be blocked, GDPR is not working etc. Consider that there's not any abuse and we are just asking in order to take the right decision. The recipient verification is clearly not an accepted way so we are not going to do it. In these 2 days we developed a mispelled domains blocklist creating a database mixing variuos mispelled list found in the net. Again it doesn't reach 100% but it helps. Let me just say that quite all agreed with domain and MX checking because it may avoid errors. But typo may be also in the domain and the wrong domain may exists and may have an MX so. There's at all NO difference in checking domain, MX or the recipient, none of these checks give a 0% error result but any of them may help to get closer to it. Recipients are not possible to check because other people/company used it in a wrong way and the VRFY commands is often disabled. RCPT TO is not accepted and blocked by many operator. Ok, message received! But remember we are not trying to spam, spoof or fraud anyone. Again, you might be doing it for legitimate reasons, but when all we have is a HELO (greeting from the sending server), a MAIL FROM-address and a RCPT TO-address, how are we supposed to tell the difference between whether it's someone doing it for a legitimate reason, like you, or PhishingSender#7248 checking which addresses they can send phishing to? Unfortunately, mind-reading someones intentions are yet to be implemented in the SMTP flow. The world is filled with examples where we as the human race can't have nice things because some bad ones exist. This is unfortunately one of those scenarios. If bad people didn't exist and wouldn't abuse it, we MIGHT be able to allow it, but that is unfortunately not the reality we live in, as much as i wish it was. Maybe in that reality i'd actually be able to do something productive, instead of just playing whack-a-mail all the time. One can dream, right? :P Thank you all, Have nice weekend ;-) Il 27/06/2025 06:36, Jay Hennigan via mailop ha scritto: On 6/26/25 10:49, Support 3Hound via mailop wrote: Our customer is actually testing captainverify.com service (even if we suggested not to trust these kind of services). May it (or something similar) be a right/trustable way? Absolutely not. It might for some degree of accuracy be able to tell if an address exists. It will have zero reliability in determining that said address belongs to the entity providing the address. Let me quickly reply to the answers I got: Yes, we are in EU and yes, I confirm that the "legal" situation is clear; in detail: Data owner: Big electrical company (nominate both our customer and us as "External Data Processor") We must follow their instruction present in the agreement: verify the correctness of the data AND NOT contact the end user. This is impossible. Anyone can put "[email protected]"<mailto:[email protected]> or "<anything>@mailinator.com" on a form. Both of those exist and are deliverable, but neither will verify the correctness of the data or associate the email address to an individual. OK, the first one will, but it's doubtful that the individual will be the one filling out your form. Contacting a mail provider in order to verify the correctness of the data is in the purpose of the agreement and of the data treatment so it's not a violation. Most mail providers won't be interested in assisting you in this. In fact, most will be vehemently against it. Contacting the end-user is a violation of both the agreement and privacy. Then you need to revise your agreement to allow a single verification email to actually be delivered, because your agreement as written simply can't be done. I never said we want to check in any "hidden/anonymous" way, I don't know why someone figured it out Then do it in an open, public way. If you want to confirm their email address, send them an email. That's how it's done. It should be a manual process, during the day contracts come to the office and an employee manually insert data, she should click a specific button in order to check, no batch process. Even if VRFY or some other method worked, the only thing you've accomplished is to show that the address put on the form exists. You have absolutely zero assurance that the address is in any way related to the person filling out the form. _______________________________________________ mailop mailing list [email protected]<mailto:[email protected]> https://list.mailop.org/listinfo/mailop Kind regards, Martin Flygenring Systems Engineer [group.one] group.one Carlsgatan 3 | 211 20 Malmö | Sweden group.one<https://www.group.one> | LinkedIn<https://www.linkedin.com/company/group-dot-one/>
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
