At 8:32 AM +0300 15/8/02, Pekka Savola wrote: >On Wed, 14 Aug 2002, Keith Moore wrote: >> > There must be a secure method that would allow a receiver to >>verify whether >> > or not the sender actually exists as a user on the mail server for the >> > domain the e-mail is coming from. >> >> this is already possible. it is not sufficient. > >It's possible but it's useless as one can't depend on it: too many MTA's >are configured to refuse EXPN/VRFY requests if they were implemented in >the first place. It'd still be next to useless if everyone did implement it and allow its use - it's not sufficient because checking if the email address is correct won't help you if the header is forged. (A quick check on spam I've received today indicates around 70% has a forged envelope address - and of those around 15% have *my* address as the source.) Also, in many cases there are security issues (real and imagined) with having an external mail relay machine (as part of a firewall system) know what addresses are and are not valid.