W3C home > Mailing lists > Public > www-validator@w3.org > July 2009

Re: checklink: Is it Possible to Enable mailto link validation?

From: Dag-Erling Smørgrav <des@des.no>
Date: Wed, 01 Jul 2009 16:55:17 +0200
To: Etienne Miret <elimerl@gmail.com>
Cc: W3C Validator Community <www-validator@w3.org>
Message-ID: <86r5x0a1wq.fsf@ds4.des.no>
Etienne Miret <elimerl@gmail.com> writes:
> You misunderstood me. "This" refered to the action of opening a
> connection to an MTA and using RCPT TO commands whithout sending any
> mail in order to test wether some email adresses exists.
> "This" is defintely a Postfix feature, called "Address verification",
> and documented at:
> <http://www.postfix.org/ADDRESS_VERIFICATION_README.html>
> As I stated in my previous mail, I was aware that some MTAs wouldn't
> allow this technique to work, but since Postfix developpers spent time
> coding and documenting it, I guessed that there weren't so many domains
> doing so. That's only a guess though.

You got it all mixed up.

SMTP has a VRFY command which is used to verify that an address is
valid.  It is usually disabled by default.

RFC 821 also requires the receiving MTA to return an error immediately
upon receipt of an RCPT command that references a nonexistent user.
Many (if not most) MTAs don't return an error until after they've
received the entire message.

In both cases, the purpose is to make it harder for spammers to vet
their lists.

As a consequence, many spam bots will bypass the primary MX and go
directly to the secondary MX.  Assuming the secondary MX doesn't know
which addresses are valid and which aren't (as is usually the case),
they can spam dozens of addresses in a single SMTP transaction, instead
of one at a time.  The seconday MX will then try to forward the message
to each recipient, and generate a non-delivery notification for each
invalid address.  The sender address is either forged or non-existent,
so the NDNs will either end up in some unsuspecting user's inbox, or
bounce and end up in the postmaster's inbox.

The purpose of Postfix's address verification feature is to allow
secondary MXes reject email addressed to nonexistent users just like the
primary MX would, without actually contacting the primary MX.  Postfix
does this by keeping track of past delivery successes and failures.  It
does not control how the secondary MX reacts when it receives an RCPT
command that references a nonexistent user; that's controlled by the
smtpd_delay_reject configuration parameter, which is on by default.

Dag-Erling Smørgrav - des@des.no
Received on Wednesday, 1 July 2009 14:55:53 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 14:17:59 UTC