At 8:32 AM +0300 15/8/02, Pekka Savola wrote:
On Wed, 14 Aug 2002, Keith Moore wrote:
> There must be a secure method that would allow a receiver to
verify whether
> or not the sender actually exists as a user on the mail server for the
> domain the e-mail is coming from.
this is already possible. it is not sufficient.
It's possible but it's useless as one can't depend on it: too many MTA's
are configured to refuse EXPN/VRFY requests if they were implemented in
the first place.
It'd still be next to useless if everyone did implement it and allow
its use - it's not sufficient because checking if the email address
is correct won't help you if the header is forged.
(A quick check on spam I've received today indicates around 70% has a
forged envelope address - and of those around 15% have *my* address
as the source.)
Also, in many cases there are security issues (real and imagined)
with having an external mail relay machine (as part of a firewall
system) know what addresses are and are not valid.