Whatever happened to VRFY?

SMTP used to have a command called VRFY which allowed you to verify whether or not an address was valid.

RFC 2505 talks about how spammer abuse makes both VRFY and the EXPN command pretty much worthless nowadays:

2.11. SMTP VRFY and EXPN

Both SMTP VRFY and EXPN provide means for a potential spammer to test whether the addresses on his list are valid (VRFY) and even get more addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed to issue these commands. This may be "on/off" or it may use access lists similar to those mentioned previously.

Note that the "VRFY" command is required according to RFC821, [1]. The response can, though, be "252 Argument not checked" to represent "off" or blocked via an access list. This should be the default.

Default for the "EXPN" command should be "off".

If you're going to do email address validation, consider that VRFY and EXPN are blocked by most ISPs nowadays. Also, simulating VRFY by stacking RCPT TO: commands is something that spammers do. ISPs know this, and the smarter ones track how often you do this. You'll get blocked after some number of attempts. I wouldn't go looking for a lot of sympathy from ISPs when trying to get unblocked afterwards, as the ISPs consider this a very bad practice that good guys don't engage in.

No comments:

Post a Comment

Comments policy: Al is always right. Kidding, mostly. Be polite, and you're welcome to join in, even if it's a differing viewpoint.