Re: Verifying E-Mail Addresses

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-10-25 bucklerk () dsa com wrote:
> You can with SMTP's VRFY command I believe.
> HOWEVER, I highly reccomend administrators do NOT enable VRFY due to its
> possibility of abuse.
> What sounds like a quick means of checking for valid recipients can also
> be used by hackers and spammers to probe a system for valid accounts.

I disagree. An e-mail address is just an e-mail address. Its localpart
may or may not correspond to an actual login name. Besides, I would
never consider a login name to be a secret anyway as they tend to be
predictible. And spammers will most likely send their crap to anything
that even remotely looks like an e-mail address, so that too isn't
really an issue (or at least no issue that couldn't be handled by a
decent spam filter). IMHO. YMMV.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------