Slashdot Mirror
Do You Permit SMTP Verify?
"[With the] SMTP VRFY command--you can verify the address of a user on your mail server. For example, if you sent 'VRFY CmdrTaco' to the SMTP server at SlashDot.org you'd get back "250 OK"; if you sent "VRFY CmdrChalupa" you'd probably get back "550 User is a little dog in a fast food commercial for somebody else" or something similar.
Or you would--IF your mail server will respond to VRFY messages.
Why do I want to know? I'm developing an e-commerce registration application for a major vendor to the semiconductor industry. The client produces some extremely dangerous materials, and wants to establish a rigorous authentication process for some systems. (You'd be surprised at how deadly some of the materials your chips are made of really are....) One small part of this is ensuring that the potential customer has a valid e-mail address.
If practically everybody permits (and supports) SMTP VRFY then we'll quietly check the user's address during registration. If a number of servers don't, then we'll resort to other, clunkier methods. (If you're wondering--there is a lot more authentication going on before we let you get anywhere near ordering nasty stuff. This is for a preliminary step in the process)."
On most of my servers, I've disabled VRFY and EXPN with:
define(`confPRIVACY_FLAGS',`novrfy,noexpn')dnl
(Sendmail, of course.)
It's just weird to permit that. It seems like a potential source of spam -- you know, they could go through a VRFY a few hundred names and build a database.
On the flipside, I've used VRFY to confirm e-mail addresses in forms. If VRFY works, then I flag the address as definitely being legit. I really wish that we had the sort of Internet where we could go on permitting VRFY and EXPN. In fact, if it weren't for spammers, I guess we could.
Oh, well.
-Waldo
I like qmail's handling of VRFY:
VRFY user@hostname.com
252 send some mail, i'll try my best
I've been using qmail for quite a while with no problem. I wouldn't worry about disabling VRFY.
Dave
RCPT TO: is the most reliable way to verify the existence of an account. It
doesn't always work, but there is a method to verify if it does.
(connect to port 25)
220 mail.example.com ready.
HELO mydomain.com
250 pleased to meet you
MAIL FROM: me@mydomain.com
250 me@mydomain.com... Sender ok
RCPT TO: user@example.com
250 user@example.com... Recipient ok
RCPT TO: PddVQ9XB87bq8VH6YfFQ@example.com
550 PddVQ9XB87bq8VH6YfFQ@example.com... User unknown
QUIT
221 mail.example.com closing connection
Notes:
1. Always be polite and say HELO. Some servers are rude if you don't.
2. Use a valid domain for the MAIL FROM: line - some servers will look it up.
3. The second RCPT TO: is very important - it lets you find out whether the
server blindly accepts all mail to its domain or actually verifies the user.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
Put me in category 2 for all mail servers I influence
2) use mail servers that support VRFY, but have disabled it.
Its a good security policy, and many sites don't do VRFY or EXPN.
You even have a good reason to not DoS your potential customers who are clueless enough to be using a non-compliant MTA:
(Microsoft Exchange 5.0, for example, hangs the Internet Mail Service if you send a VRFY for a valid address)."
That should stop you right there.
But the scary part of your question is
The client produces some extremely dangerous materials, (You'd be surprised at how deadly some of the materials your chips are made of really are....)
You mean like silane, arsine and other dopants for silicon? Hydrazine for etching? Hydrofluoric acid for surface cleaning?
I've worked in silicon foundries before, and it was damn difficult to order, transport, store and use those chemicals. There were a ton of laws controlling every part of their existence(of course, there were a lot more patri^H^H^H^H^Hterrorists around where I was). Are you implying your client is now going to ignore the laws requiring them to establish a solid business relationship before ever transporting the chemicals off site? Sounds like a very irresponsible thing to do, probably illegal.
One small part of this is ensuring that the potential customer has a valid e-mail address.
I should hope you are establishing a solid business relationship with any potential customer before allowing them any access to the ordering process. This means face to face meetings, and an inspection of their facilities to meet federal hazmat guidelines. A check for a valid email address is pretty laughable, except for the fact that you might serve some prison time if anything bad ever happens because you shipped a tank of arsene to ima.badguy@terrorist.org and it was opened in the air conditioning of the MPAA offices. Hey, do you smell garlic?
If you have to establish a real B2B electronic relationship with your customers, then get some kind of token generators at a minimum. Cryptocards could help to verify a customer trusted enough to fill in an order form. Or a PGP/RSA style signature to ensure the customer is who they say they are. Search the web, there are hacked versions of sendmail which will tack on a PGP signature to any email matching certain criteria.
Your answer lies elsewhere for e-commerce security, young grasshopper. Seek out the knowledgable old farts who have done this before.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Actually, some senders are using a sneakier way of telling. They send HTML e-mail, and embed a reference to (say) a 1x1 invisible GIF, but serve it up through a URL that includes a unique identifier. That way (if your e-mail client renders HTML messages automatically, and you're
connected at the time) they know you opened the message even if you then just delete it, without either a reply or even a receipt being explicitly sent by you.