Comments for Announcing Ruby gem: email_verifier

[phinjensen]

Comments for https://www.endpointdev.com/blog/2012/12/announcing-ruby-gem-emailverifier/ By Kamil Ciemniewski

To enter a comment:

1. Log in to GitHub
2. Leave a comment on this issue.

[phinjensen]

original author: Anonymous
date: 2012-12-21T09:45:32-05:00

We can call it 'asking mail server if recipient exists'.

This is correctly called "completely broken"

• The mailbox may exist and accept mail but no human being may read it
• The tool to actually do this is called "VRFY" in SMTP land but this is disabled for security and spam reasons most often
• The mailbox may exist but belong to the wrong person.
• The mailbox may not exist, but the SMTP server may accept mail unconditionally and later send a bounce

The only way to correctly verify emails is to actually send an email with a link of the email address+HMAC

[phinjensen]

original author: Kamil Ciemniewski
date: 2012-12-21T10:26:18-05:00

Anonymous - thanks for feedback.

I'd like to discuss the issues you brought up:

"The mailbox may exist and accept mail but no human being may read it"

True - but we can't defend ourselves from all the failed use cases but we can still minify some of dangers.

"The tool to actually do this is called "VRFY" in SMTP land but this is disabled for security and spam reasons most often"

And that's exactly the reason why we're not using it.

"The mailbox may exist but belong to the wrong person." "The mailbox may not exist, but the SMTP server may accept mail unconditionally and later send a bounce"

True and true again, but it's still better to accept some percentage of useless addresses than to collect all of them.

Kamil

[phinjensen]

original author: Jon Jensen
date: 2012-12-21T16:09:05-05:00

This conversation would actually be good to edit and put in the documentation for the gem. There's format validation (which Kamil described in the article), then this attempt to start sending mail, then full click-through verification with a token as anonymous describes. All useful in their place, and probably should explain exactly how this gem works among the various options out there.

Thanks for releasing this gem to the public, Kamil!

[phinjensen]

original author: Eitan Adler
date: 2012-12-21T17:25:51-05:00

Another concern: if the system administrator disabled VRFY wouldn't it be a safe assumption that she doesn't want you enumerating or verifying email addresses in this manner?

How do you deal with temporary failures? Do you resend the callout again in the future?

What is the of this module? To confirm an email belongs to the user as she typed it? It doesn't help?

To report in real time about potentially wrong email addresses on form submission? Wouldn't the latency be absurd?

I could only see this being useful to clean a dirty email list before sending out confirmed-opt-in letters. In this case though the volume of probes may very well be considered abusive.

This post inspired me to write a little rant about how to verify email addresses: http://blog.eitanadler.com/2012/12/correctly-verifying-email-address.html

[phinjensen]

original author: Steph Skardal
date: 2012-12-23T11:25:05-05:00

A couple of answers:

How do you deal with temporary failures? Do you resend the callout again in the future?

Temporarily failures are ignored, i.e. in the case of an exception for any reason, the email validation is skipped and users have a frictionless way of continuing the sign-up process. Obviously, this allows a few bad emails through the system.

What is the of this module? To confirm an email belongs to the user as she typed it? It doesn't help?

Immediately after an email is entered (JS onchange event), this module validates the realness of it. In case the email is invalid, the user cannot proceed to the next sign-up step.

To report in real time about potentially wrong email addresses on form submission? Wouldn't the latency be absurd?

Latency is less of an issue than any email validation services that were investigated for this business need, which claim to have 4-7 seconds of latency. So at this point, no, latency is not an issue and has served the business need well.

So far, the known pros / cons of this approach have served the business need for validation emails well.

[phinjensen]

original author: Anonymous
date: 2013-05-31T04:37:10-04:00

Is it possible that their server start blocking your email in the future? (this is mentioned in a similar gem: https://github.com/pash/email_veracity_checker)

[phinjensen]

original author: Kamil Ciemniewski
date: 2013-05-31T05:17:40-04:00

Anonymous:

While it's true that it's possible - you have to ask yourself a question: will my app use it hundreds of thousands of times per day? Will you have millions of users which will have to be checked everyday? If you'll e. g. only check a handful of users/emails everyday, then it's very unlikely that you'll get blacklisted by any SMTP server..

While I agree with what theoretically experts are saying about this method, I reckon that the reality check is worth much more than the most elaborate theory.

On the other hand - theories doesn't come from nowhere. You just have to gauge your situation properly.