Whatever happened to VRFY?


SMTP used to have a command called VRFY which allowed you to verify whether or not an address was valid.

RFC 2505 talks about how spammer abuse makes both VRFY and the EXPN command pretty much worthless nowadays:

2.11. SMTP VRFY and EXPN

Both SMTP VRFY and EXPN provide means for a potential spammer to test whether the addresses on his list are valid (VRFY) and even get more addresses (EXPN). Therefore, the MTA SHOULD control who is is allowed to issue these commands. This may be "on/off" or it may use access lists similar to those mentioned previously.

Note that the "VRFY" command is required according to RFC821, [1]. The response can, though, be "252 Argument not checked" to represent "off" or blocked via an access list. This should be the default.

Default for the "EXPN" command should be "off".

If you're going to do email address validation, consider that VRFY and EXPN are blocked by most ISPs nowadays. Also, simulating VRFY by stacking RCPT TO: commands is something that spammers do. ISPs know this, and the smarter ones track how often you do this. You'll get blocked after some number of attempts. I wouldn't go looking for a lot of sympathy from ISPs when trying to get unblocked afterwards, as the ISPs consider this to be a bad practice that good guys don't engage in.
2 Comments

Comments

  1. Not only spammers need to verify address in their list.

    ReplyDelete
  2. Non-spammers have other options. Like sending a welcome message. Like using COI/DOI. Like just doing your normal mailings over time and properly pruning bounces.

    If your acquisition method isn't busted, your bounce rates aren't going to be such a problem that you need to pre-validate with VRFY.

    ReplyDelete

Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.