Consider using VRFY SMTP command

reacherhq / check-if-email-exists

Check if an email address exists without sending any email, written in Rust. Comes with a ⚙️ HTTP backend.

https://reacher.email

Other

4.21k stars 324 forks source link

Consider using VRFY SMTP command #823

Open tyranron opened 3 years ago

tyranron commented 3 years ago

Checking the RFC 5321 while implementing #822, I've noticed that there is a special debug VRFY SMTP command for checking whether mailbox is valid.

It seems reasonable to use VRFY for checking mailbox existence, and fallback to RCPT TO only when the former is unimplemented or we unsure to make a decision out of its result.

Such check, in theory, should not be considered as a delivery attempt by SMTP servers, so we will do less unnecessary ratelimit and mailtrap hits.

amaury1093 commented 3 years ago

This is a great idea! I read somewhere that most servers don't respond to VRFY, so didn't bother to implement it.

But you're 100% right, we should do VRFY first, then fallback to RCPT TO.

Would you like to create a PR?

tyranron commented 3 years ago

@amaurymartiny I'll try to find some time for it after investigating/fixing more important issues.

vsviridov commented 3 years ago

I think most server configurations suggest disabling VRFY to not make life easy for spammers, who could abuse this to enumerate valid email addresses.

masroore commented 2 years ago

Thanks to spammers, SMTP commands like VRFY and EXPN are disabled by default by most sysadmins. Or these commands do not give out any definitive result ("cannot vrfy user, but will take message for xyz").