Email Address Validation and Verification

Apr 10th, 2018

Identifing domain is catch-all

Create invalid email address against that domain.

e.g.
domain : example.com
Email Adddress : dummyemail@example.com, invalid.email@example.com

Step 1 - Find mail exchanger or mail server of example.com

Commmand : 
nslookup -q=mx example.com

Response:
Non-authoritative answer:
example.com mail exchanger = 10 aspmx.l.google.com.
example.com mail exchanger = 20 alt1.aspmx.l.google.com.
example.com mail exchanger = 30 alt2.aspmx.l.google.com.
example.com mail exchanger = 40 aspmx2.googlemail.com.
example.com mail exchanger = 50 aspmx3.googlemail.com.

Step 2 - Now we know mail server so let connect to it.

Command:
telnet aspmx.l.google.com 25

Response:
Trying 74.125.24.27...
Connected to aspmx.l.google.com.
Escape character is '^]'.
220 mx.google.com ESMTP z79si2772641pfi.381 - gsmtp

Step 3 - Enter helo hi

Command:
helo hi

Response:
250 mx.google.com at your service

Step 4 - Email address from which you telnet to targeted email address

Command:
mail from: <emailaddress@gmail.com>

Response:
250 2.1.0 OK z79si2772641pfi.381 - gsmtp

Step 5 - Target email address which you want to validate

Command:
rcpt to: <targetemailid@example.com>

Response:
250 2.1.5 OK z79si2772641pfi.381 - gsmtp

If you got ok for invalid email address then that domain is catchall domain.

Methods to check email address validity

Double opt-in method

When a user registers with their email account, a unique link is sent to said account and the user is asked to click on it to confirm the registration process.

This double level process allows you not only to eliminate invalid email addresses but it also helps to prevent situations where a user can register with an email address that does exist, but does not belong to the given user.

The double opt-in technique also prevents spam users from registering with fake accounts.

Double typing/re-typo method

It is a very effective way to ensure they type their email correctly. Double typing allows users to avoid typos or syntax mistakes.

Using just this solution itself is that spam users can still provide you with an email that they don’t own.

Email address verification

  • cleansed email address list - remove fake or outdated emails, disposable email addresses, or emails whose owners have blocked and blacklisted,
  • syntax verification - verify if the email address adheres to the IETF/RFC standards,
  • domain name validation (DNS) - check the DNS and perform a MX lookup,
  • mail exchanger records (MX records) check - connect to the mail server and engage in a ‘chat’ with the server in order to validate the existence of the mailbox),
  • disposable email address detection (such disposable email accounts are created by spammers,
  • misspelled domain detection, which prevents typosquatting, or URL hijacking (when a user accidentally misspells a website address and is directed to a domain owned by hackers who might be involved in phishing schemes, or to a domain which can install malware on the user’s computer),
  • greylisting detection (greylisting is an anti-spam activity: the MTA – mail transfer agent- temporarily rejects messages from unrecognized senders),
  • checking if a given mailbox exists,
  • SMTP connection and availability checking,
  • catch-all testing (a catch-all email account will receive all messages that are addressed to an incorrect email address for a domain)
  • spam trap (email addresses used only to collect spam) detection