Information Security Stack Exchange is a question and answer site for information security professionals. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
- Case 1: When user creates an account, a confirmation email is sent.
- Case 2: When user invites a coworker to his/her account, an invitation email is sent.
Problem: If a user makes a typo in the email, it cannot be delivered.
It might be more user-friendly to immediately show an error message to a user if this email cannot be delivered. So this user won’t waste time waiting for this email and could fix the typo. The potential risk is that someone can use it to check for someone’s else mailbox existence. But there are easier ways to check for email address existence, and with throttling, the risk can probably be mitigated.
I wonder if I missed something from the security point of view.
If the receiving mail server uses ‘greylisting’ to block spam, even valid email addresses are rejected at first (the sending mail server has to retry). So, it may take several retries and some time until you know that the email address is valid or not.
In general, it is a bad idea to try to use in a synchronous way (the user sits and waits for a reply live) a system that was designed to be asynchronous (email system).
Generally, when an attacker tries user-enumeration or other directory harvest attack (DHA), it requires using an asset they control to make the probe. Defensive systems like anti-spam gateways take note of this sort of attack and have protections against it.
An attacker could launch such an attack using this service, gaining insight into which emails on a list accept mail while externalizing the consequences (IP reputation, etc) to this service.