Can you verify email addresses in real time?

In a recent discussion about spamtraps and address lists and data collection a participant commented, “[E]very site should be utilizing a real-time email address hygiene and correction service on the front end.” He went on to explain that real time hygiene prevents undeliverable addresses and spamtraps and all sorts of list problems. I was skeptical to say the least.
Yes, there are APIs that can be queried at some of the larger ISPs to identify if an account name is taken, but this doesn’t mean that there is an associated email address. Yes, senders can do a real time SMTP transaction, but ISPs are quick to block SMTP transactions that quit before DATA.
I decided to check out one service to see how accurate it was. I’m somewhat lucky in that I created a username at Yahoo Groups over a dozen years ago but never activated the associated email address. This means that the account is shown as taken and no one else can register that address at Yahoo. But the address doesn’t accept any mail.

Sceenshot of verification
The address verification for Yahoo addresses
There is a service that offers real time verification and allows potential customers to check an address on their website. I plugged my Yahoo address into their text box. They verified it as active and connected to all networks. Just to make sure I checked my existing Yahoo address as well, and that shows the same: connected to active online networks.
I next sent an email to both Yahoo accounts. Yahoo accepted mail to my working account but bounced mail to the Yahoo Groups only account.

Final-Recipient: rfc822; biskybabe@yahoo.com
Original-Recipient: rfc822;biskybabe@yahoo.com
Action: failed
Status: 5.0.0
Remote-MTA: dns; mta5.am0.yahoodns.net
Diagnostic-Code: smtp; 554 delivery error: dd This user doesn't
   have a yahoo.com account (biskybabe@yahoo.com) [-5] -
   mta1289.mail.ac4.yahoo.com

This tells me that for Yahoo addresses, Briteverify is using some sort of API call to identify whether or not an account name is taken. But just because an account name is taken doesn’t specifically mean that an account is a valid email address. It’s probably better than no verification, but usage of all real time verification isn’t going to help in all cases.
What about email accounts that don’t provide an API or a way to check the validity of an account? In that case it appears that they are using an aborted SMTP transaction. we tested

Jan 24 15:20:00 misc postfix/smtpd[28917]: connect from
   smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28917]: NOQUEUE: reject:
   RCPT from smtpout9.briteverify.com[107.20.232.98]: 550 5.1.1
   <mu/er9w9kmbyg+s5uehqdxqe@blighty.com>: Recipient
   address rejected: User unknown in virtual alias table;
   from=<admin@origindata.com>
   to=<mu/er9w9kmbyg+s5uehqdxqe@blighty.com>
   proto=SMTP helo=<emailver.briteleads.com>
Jan 24 15:20:01 misc postfix/smtpd[28917]: lost connection after
   RCPT from smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28917]: disconnect from
   smtpout9.briteverify.com[107.20.232.98]
Jan 24 15:20:01 misc postfix/smtpd[28915]: connect from
   smtpout7.briteverify.com[184.73.155.120]
Jan 24 15:20:01 misc postfix/smtpd[28915]: NOQUEUE: reject:
   RCPT from smtpout7.briteverify.com[184.73.155.120]: 550 5.1.1
   <aardvark@blighty.com>: Recipient address rejected: User
   unknown in virtual alias table; from=<admin@origindata.com>
   to=<aardvark@blighty.com> proto=SMTP
   helo=<emailver.briteleads.com>
Jan 24 15:20:01 misc postfix/smtpd[28915]: lost connection after
   RCPT from smtpout7.briteverify.com[184.73.155.120]
Jan 24 15:20:01 misc postfix/smtpd[28915]: disconnect from
   smtpout7.briteverify.com[184.73.155.120]

The verification service did correctly identify both addresses as invalid. However, this is exactly the kind of SMTP behaviour that is blocked by many places.
Real time address verification for 100% of addresses is incredibly difficult. As I demonstrated above, their use of testing APIs makes the assumption that everyone with a login at Yahoo (or google or other places) has an email address, but this isn’t necessarily true.
There are other assumptions that realtime address verification makes.

  1. No one ever typos the left hand side of their email address into an address of another user at the site. This isn’t true, for instance, I entered a common typo of my email address into the form and the service verified it as accurate. It probably is a valid, deliverable account but that doesn’t mean that it’s a good address.
  2. Spamtraps are always undeliverable addresses. This is not true and the above form did verify a spamtrap address that a friendly blocklist admin checked for me.
  3. No one typos the right hand side of an address to a valid domain. This is not true. For instance, I know a number of spamtrap domains used by Trend Micro. The form validates addresses there and tells me I’m good to send.

I’m not trying to knock the real time address verification services, I think what they’re attempting to do is good. I think the glossy marketing, though, will lead senders into a false sense of security. Just because a 3rd party service tells you an address is deliverable, doesn’t mean that the address is deliverable or that the address is safe to mail.
I do think potential verification customers deserve to understand how the services work so that they can make good decisions about purchasing those services.
 
 

Related Posts

Protecting customer data

There have been a number of reports recently about customer lists leaking out through ESPs. In one case, the ESP attributed the leak to an outside hack. In other cases, the ESPs and companies involved have kept the information very quiet and not told anyone that data was leaked. People do notice, though, when they use single use addresses or tagged addresses and know to whom each address was submitted. Data security is not something that can be glossed over and ignored.
Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

Read More

What is an email address? (part three)

As promised last week, here are some actual recommendations for handling email addresses.
First some things to check when capturing an email address from a user, or when importing a list. These will exclude some legitimate email addresses, but not any that anyone is likely to actually be using. And they’ll allow in some email addresses that are technically not legal, by erring on the side of simple checks. But they’re an awful lot better than many of the existing email address filters.

Read More

Three ways spammers get your address

Paul explains 3 ways spammers get your email address.

Read More