Importance of rejecting invalid email addresses
There are two schools of thought when it comes to accepting emails sent to invalid addresses in an SMTP server:
This difference is subtle but very important.
- Reject the message without accepting it
- Accept an incoming message and then generate an NDR (non-delivery report)
Before delving into details, it is important to understand how emails go from one server to another. By design emails hop from one SMTP server to another before reaching its final destination. Additionally, the current email system is designed to mimic our regular snail mail system. Note the following features that are common in both snail mail and email delivery systems:
- Actual letters are enclosed inside an envelope that contains the sender's and recipient's address.
- If the recipients address is invalid, the package is sent back to the sender's address
- When talking about snail mail, you have two options if you get a package for a person who does not live in your household:
Same concept applies for email:
- Give a list of people who live in your house and tell the mailman to return the package if the package does not belong to anyone who lives there.
- Let the mailman deliver the package and at a later time you go back to the post office and ask them to send it back
Now let's talk a bit more about emails. The following lines display an example communication between the sender's and recipient's SMTP server. This communication is called the
SMTP Envelope. Requests sent by the sender are denoted by an
- First option is to reject any incoming email sent to invalid user before accepting the actual email
- Or, accept the message and then generate an NDR because user does not exist.
S --> and response sent by the recipient is denoted by
R <-- to indicate direction.
1 - S --> HELO mail.senderdomain.com
2 - R <-- 250-127.0.0.1. Please to meet you
3 - S --> MAIL FROM: <email@example.com>
4 - R <-- 250 OK
5 - S --> RCPT TO:<firstname.lastname@example.org>
6 - R <-- 250 OK
7 - S --> DATA
8 - R <-- 354 Start mail input;
9 - R <-- 250 2.6.0 Queued mail for delivery
10 - S --> QUIT
10 - R <-- 221 Good bye.
Line number 5 is the most important line, where the sender asks to send an email to
email@example.com. The actual email body is sent between line number 8 and 9.
Two options In detail
Considering the example above and assuming
firstname.lastname@example.org is not a valid user, your SMTP server has two options:
The first option is to send an error code at line number 6, which is a response to the |
RCPT TO line. In this case, communication will abort and the
will never be sent.
||Second option is to accept the message all the way and then generate an NDR if the recipient is not found.|
Why is Option 1 better
Option 1 is better for several reasons:
- Less traffic. You could potentially reduce up to 60% traffic to your email server by simply rejecting emails destined for invalid users.
- Responsibility of generating an NDR now lies on the sender's SMTP server. NDRs are generated by the SMTP server that accepts an email. Since your server never accepted
the message, it is not your responsibility to generate an NDR.
- You will not become a victim of Reverse NDR attack.
||1/5/17 1:22 PM
|Last updated on:
||1/5/17 2:34 PM