Email verification with SMTP fails on local machine for certain domains

Question

I want to verify whether mail box exists for a email with SMTP. I am able to do following things :

Get MX records from domain
Connect to host via SMTP

Then I execute following commands :

  HELO somedomain.com
  MAIL FROM:<verify@somedomain.com>
  RCPT TO:<someone@yahoo.com>

Above commands give me 250 response for invalid emails on my local machine. But when I verify the email on some online service I get 554 response (which is correct). What is the reason behind this weird behavior (invalid results on local machine) ?

What happens when you use `VRFY` instead of `RCPT TO:`? – TheCleaner Oct 17 '13 at 14:02 — TheCleaner, Oct 17 '13 at 14:02
@TheCleaner It gives `502 Command Unimplemented` – vedarthk Oct 17 '13 at 14:08 — vedarthk, Oct 17 '13 at 14:08

score 1 · Answer 1 · answered Oct 17 '13 at 14:27

Your RCPT TO: should get a 550 not a 554 technically if the mailbox doesn't exist. A 554 is used if the command fails (such as an invalid command syntax) However, like Gryphius said a lot of mail servers will respond with a 250 if the syntax used is valid. It isn't checking yet to see if the actual mailbox exists OR it simply doesn't want to tell you if the address exists or not.

The VRFY command is technically what the SMTP protocol "should" be using for verifying if an email address exists or not. But quite a few prominent mail services don't really allow for VRFY or again, simply say "Not sure, but I'll try to deliver it".

The reason that a lot of SMTP "servers" respond with 250 OK is because often they are just front end gateways for other mail servers or a "hop" in the sequence. So they will let another server down the chain handle whether the address is valid or not. Other times mail servers don't want someone to iterate through various email addresses hoping to get a list of invalid vs. valid.

I get what are you saying but how come I get different result for the same email on my local machine than that on a service like http://verify-email.org ? — vedarthk, Oct 18 '13 at 10:27
@vedarthk - are the commands identical between what you are sending and what verify-email.org is sending? — TheCleaner, Oct 21 '13 at 12:55

score 0 · Answer 2 · answered Oct 17 '13 at 13:48

0

you can't rely on SMTP to do recipient verification. many mailservers only check recipient adresses after the mail has been accepted into the local queue. if the recipient account does not exist, they send back a bounce. ("accept-and-bounce" behaviour).

answered Oct 17 '13 at 13:48

Gryphius

2,720
1
19
19

I am curious how http://verify-email.org give me correct results for the same procedure which gives me incorrect results on my local machine. – vedarthk Oct 17 '13 at 13:51
Accepting and then bouncing is also called "backscattering" and is considered as a very bad configuration, as this allows to send out bounce spam via a faked sender address. This can also put your mailserver on a lot of blacklists. A correctly configured mailserver should always verify first before accepting the mail. – etagenklo Oct 17 '13 at 13:57

Email verification with SMTP fails on local machine for certain domains

2 Answers2