> That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To > to verify addresses in their lists. If you watch an SMTP server that > gets much spam, you'll see a lot of SMTP transactions aborted after > Rcpt_To, even when the server answered with a 200-series status value. there's no way to know whether the verification is being done by a spammer or for legitimate purposes. > I don't know which of various other mechanisms Keith Moore meant, but > I doubt he meant EXPN/VRFY requests or Rcpt_to, because all three > are wrecked by common uses of MX secondaries. no I meant RCPT. a 2xx response doesn't guarantee that the address is valid, but a 5xx response is a reasonable assurance that the address won't be able to receive mail. > Note that "[verifying] whether or not the sender actually exists as > a user on the mail server for the domain the e-mail is coming from" > as stated does not make a lot of sense in the real world. in many (not all) cases it's fairly safe to assume that a message from an unreplyable address is not of interest to a recipient. for instance, I use this to filter traffic that is sent to a mail robot autoresponder, because there's no point in having the robot process a message and generate a response if the reply is going to bounce anyway. Keith