That might be why spammers don't use EXPN/VRFY but instead use Rcpt_To
to verify addresses in their lists. If you watch an SMTP server that
gets much spam, you'll see a lot of SMTP transactions aborted after
Rcpt_To, even when the server answered with a 200-series status value.
there's no way to know whether the verification is being done by a
spammer or for legitimate purposes.
That may true in general, if you can figure out a legitimate purpose
for the hack. I can't think of one that is not marginally abusive,
including your autoresponder. It is marginally abusive because it
wastes the resourses of innnocents.
It doesn't waste their resources, because it improves the level of
service that they see. Giving someone immediate feedback that their
address is invalid is far preferable to trying to send them a bounced
mail message that will never arrive; and keeping our mail servers
from being bogged down with bounces that will never get delivered
helps free them up to deliver legitimate traffic.
However, just that because I see fit to use SMTP address validation
in a few cases doesn't mean I use it everywhere, or that I recommend it
as a general-purpose mechanism.... quite the contrary, I haven't made
much mention of it until now because it was clear that it had a lot of
potential for misuse, and that it was only a matter of time before it
would become less effective anyway. For many years this was a nearly
perfect filter for blocking spam from mailing lists, not so any longer.
That's distinctly different from the other person's purpose.
Knowing that an address is invalid is distinct from knowing that
it is valid. In other words, how often do you figure you see
a 2xx response to a RCPT command for an invalid address?
I haven't tried to measure that. For my purposes it is sufficient if
it provides early notification of a significant fraction of bad
email addresses, and it certainly does that.
Keith