> > > That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To > > > to verify addresses in their lists. If you watch an SMTP server that > > > gets much spam, you'll see a lot of SMTP transactions aborted after > > > Rcpt_To, even when the server answered with a 200-series status value. > > > > there's no way to know whether the verification is being done by a > > spammer or for legitimate purposes. > > That may true in general, if you can figure out a legitimate purpose > for the hack. I can't think of one that is not marginally abusive, > including your autoresponder. It is marginally abusive because it > wastes the resourses of innnocents. It doesn't waste their resources, because it improves the level of service that they see. Giving someone immediate feedback that their address is invalid is far preferable to trying to send them a bounced mail message that will never arrive; and keeping our mail servers from being bogged down with bounces that will never get delivered helps free them up to deliver legitimate traffic. However, just that because I see fit to use SMTP address validation in a few cases doesn't mean I use it everywhere, or that I recommend it as a general-purpose mechanism.... quite the contrary, I haven't made much mention of it until now because it was clear that it had a lot of potential for misuse, and that it was only a matter of time before it would become less effective anyway. For many years this was a nearly perfect filter for blocking spam from mailing lists, not so any longer. > That's distinctly different from the other person's purpose. > Knowing that an address is invalid is distinct from knowing that > it is valid. In other words, how often do you figure you see > a 2xx response to a RCPT command for an invalid address? I haven't tried to measure that. For my purposes it is sufficient if it provides early notification of a significant fraction of bad email addresses, and it certainly does that. Keith