> From: Pekka Savola <pekkas@netcore.fi> > On Wed, 14 Aug 2002, Keith Moore wrote: >>> There must be a secure method that would allow a receiver to verify whether >>> or not the sender actually exists as a user on the mail server for the >>> domain the e-mail is coming from. >> >> this is already possible. it is not sufficient. > > It's possible but it's useless as one can't depend on it: too many MTA's > are configured to refuse EXPN/VRFY requests if they were implemented in > the first place. That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To to verify addresses in their lists. If you watch an SMTP server that gets much spam, you'll see a lot of SMTP transactions aborted after Rcpt_To, even when the server answered with a 200-series status value. I don't know which of various other mechanisms Keith Moore meant, but I doubt he meant EXPN/VRFY requests or Rcpt_to, because all three are wrecked by common uses of MX secondaries. Note that "[verifying] whether or not the sender actually exists as a user on the mail server for the domain the e-mail is coming from" as stated does not make a lot of sense in the real world. "The mail server" suggests a single SMTP server per domain, which is often false. "The domain the e-mail is coming from" suggests that there is something wrong with sending mail from one ISP with a return address (envelope and header From value) of a mailbox at some other ISP. "Actually exists as a user" suggests that aliases and forwarding are not kosher. Then there are the complications of "virtual hosts." Vernon Schryver vjs@rhyolite.com