From: Pekka Savola <pekkas(_at_)netcore(_dot_)fi>
On Wed, 14 Aug 2002, Keith Moore wrote:
There must be a secure method that would allow a receiver to verify whether
or not the sender actually exists as a user on the mail server for the
domain the e-mail is coming from.
this is already possible. it is not sufficient.
It's possible but it's useless as one can't depend on it: too many MTA's
are configured to refuse EXPN/VRFY requests if they were implemented in
the first place.
That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To
to verify addresses in their lists. If you watch an SMTP server that
gets much spam, you'll see a lot of SMTP transactions aborted after
Rcpt_To, even when the server answered with a 200-series status value.
I don't know which of various other mechanisms Keith Moore meant, but
I doubt he meant EXPN/VRFY requests or Rcpt_to, because all three
are wrecked by common uses of MX secondaries.
Note that "[verifying] whether or not the sender actually exists as
a user on the mail server for the domain the e-mail is coming from"
as stated does not make a lot of sense in the real world. "The mail
server" suggests a single SMTP server per domain, which is often false.
"The domain the e-mail is coming from" suggests that there is something
wrong with sending mail from one ISP with a return address (envelope
and header From value) of a mailbox at some other ISP. "Actually
exists as a user" suggests that aliases and forwarding are not kosher.
Then there are the complications of "virtual hosts."
Vernon Schryver vjs(_at_)rhyolite(_dot_)com