checking if email address is live and real?

*** ne**@celticbear.com wrote/escribió (22 Jun 2005 06:51:59 -0700):

There's all kinds of ways to validate an email address to make sure
it's well formed and whatnot, but what about checking to see if it's a
valid e-mail account?
Like how you can use checkdnsrr() to check to see if a URL is valid.

Generate a random string, send it through email and make user type it back
in the site (for example, making a link). Believe me, there's no other way.

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

On Wed, 22 Jun 2005 16:07:04 +0200, Alvaro G Vicario wrote:

*** ne**@celticbear.com wrote/escribió (22 Jun 2005 06:51:59 -0700):

There's all kinds of ways to validate an email address to make sure it's
well formed and whatnot, but what about checking to see if it's a valid
e-mail account?
Like how you can use checkdnsrr() to check to see if a URL is valid.

Generate a random string, send it through email and make user type it back
in the site (for example, making a link). Believe me, there's no other
way.

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group

They must be a way, MSN did it when I mistyped my email address in
the sign up box it told me straight away that it was invalid and it was
only invalid because I typed a 'd' in place of an 's' in the part before
the @ sign.

*** BearItAll wrote/escribió (Wed, 22 Jun 2005 15:56:42 +0100):

They must be a way, MSN did it when I mistyped my email address in
the sign up box it told me straight away that it was invalid and it was
only invalid because I typed a 'd' in place of an 's' in the part before
the @ sign.

Without sending mail, you can check whether the domain has a valid DNS
entry or even it the server is up and running. It's really hard to check
whether the domain is registered and it's impossible to check whether a
mailbox exists: the VRFY SMTP command is disabled for security/privacy
reasons in many mail servers.

So you can work a lot to create a validation system that offers unreliable
results or you can write a very simple random code system that works 99% of
the time*.
(*) Some mail servers lose mail due to incorrectly configured antispam
systems.

--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

>Without sending mail, you can check whether the domain has a valid DNS

entry or even it the server is up and running. It's really hard to check
whether the domain is registered and it's impossible to check whether a
mailbox exists: the VRFY SMTP command is disabled for security/privacy
reasons in many mail servers.
If the domain isn't registered, it won't have a MX record or an A
record in DNS. This is easy to check, and it's done every time a
mail server tries to send mail to determine WHERE to send it. I
also suggest you reject as invalid a MX or A record that points to
a bogus IP address (e.g. 127.0.0.1, or an IP in private address
space).

Try to send a bounce message to that email address.
Look up MX server.
HELO my.host.name
MAIL FROM:<>
RCPT TO:<em***@Im.testing>
QUIT
Stop short of actually sending a body. This is what Exim callout
verify does. And note that "VRFY" doesn't appear anywhere in
the conversation. This does have some problems:

(1) FALSE POSITIVE: some servers accept anything during the SMTP
conversation and bounce it later. However, at least you checked
that there IS a server in DNS to send it to. And quite a few
servers do check on the spot.

(2) FALSE NEGATIVE: some servers don't accept bounce messages
(MAIL FROM:<>) at all.

(3) If the server (or various DNS servers) is down at the point you
try the test, you get a temporary failure. Handing back a temporary
failure to a mail server trying to send IN the message (which Exim
callout verify does) is generally not a problem: the sender will
retry. Handing back a temporary failure on a web page is more
likely to be seen as a problem.
So you can work a lot to create a validation system that offers unreliable
results or you can write a very simple random code system that works 99% of
the time*.
The random code system defends against bots, not against people
who enter fake email addresses. How important this is depends
on why you want to check for a valid email address. If the problem
is relay-raping, the random code is a good solution. If you want to
verify that the person can actually RECEIVE email at the address
they gave, sending a confirmation email with a link they need to
click on is fairly effective.[1]
(*) Some mail servers lose mail due to incorrectly configured antispam
systems.

And some mail servers lose mail in the spool when the hard disk has
a head crash.

[1] A few anti-spam systems can be configured to effectively click
on every link in every email to filter the web page as though it
were part of the email, looking for, for example, phishing scams.
How many admins actually do this, I don't know. It seems like
a lot of emails with links to unreachable sites would have the effect
of a denial-of-service-attack on the site doing the filtering.

Gordon L. Burditt

BearItAll wrote:

They must be a way, MSN did it when I mistyped my email address in
the sign up box it told me straight away that it was invalid and it was
only invalid because I typed a 'd' in place of an 's' in the part before
the @ sign.

Was the email address an MSN one? Then they just checked their database.

Cheers,
Nicholas Sherlock

On Wed, 22 Jun 2005 16:13:36 -0000, go***********@burditt.org (Gordon
Burditt) wrote:

(2) FALSE NEGATIVE: some servers don't accept bounce messages
(MAIL FROM:<>) at all.

That's not a false negative. If they deliberately break their config
and ignore RFC requirements, then they should not be allowed to
send/receive e-mail. Their problem ;-)

--
------------------------------------------------------------------
- Stuart Millington ALL HTML e-mail rejected -
- mailto:ph***@dsv1.co.uk http://w3.z-add.co.uk/ -

*** Gordon Burditt wrote/escribió (Wed, 22 Jun 2005 16:13:36 -0000):

The random code system defends against bots, not against people
who enter fake email addresses.

I someone manages to get a random code sent to a fake e-mail address, I
guess it wouldn't be a problem to use the address for further contact :)

What I said was:

"Generate a random string, send it through email and make user type it back
in the site (for example, making a link)."

You missed my original message and you're thinking about a bot prevention
system, something the original poster never mentioned he needed.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

"Alvaro G Vicario" <al******************@telecomputeronline.com> wrote in
message news:14*****************************@40tude.net...

*** Gordon Burditt wrote/escribió (Wed, 22 Jun 2005 16:13:36 -0000):

The random code system defends against bots, not against people
who enter fake email addresses.
I someone manages to get a random code sent to a fake e-mail address, I
guess it wouldn't be a problem to use the address for further contact :)

What I said was:

"Generate a random string, send it through email and make user type it

back in the site (for example, making a link)."

You missed my original message and you're thinking about a bot prevention
system, something the original poster never mentioned he needed.
--
-- Álvaro G. Vicario - Burgos, Spain
-- http://bits.demogracia.com - Mi sitio sobre programación web
-- Don't e-mail me your questions, post them to the group
--

....and don't forget that now alot of people are using those 'temporary'
email addresses to avoid spam themselves. But the problem is that you as a
host/webmaster don't want those addresses. I use an email address as a
username for my business (as they are all unique to each person). I want to
know I can reach that person if needed.

Norm
--
FREE Avatar hosting at www.easyavatar.com

Hello,

on 06/22/2005 10:51 AM ne**@celticbear.com said the following:

There's all kinds of ways to validate an email address to make sure
it's well formed and whatnot, but what about checking to see if it's a
valid e-mail account?
Like how you can use checkdnsrr() to check to see if a URL is valid.

I know finger used to be used at one time, no? But server block finger
requests, and I'm not sure many e-mail accounts out there are even
fingerable type accounts anyway.

This e-mail validation class does exactly what you ask:

http://www.phpclasses.org/emailvalidation
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html