Importance of rejecting invalid email addresses

There are two schools of thought when it comes to accepting emails sent to invalid addresses in an SMTP server:
  • Reject the message without accepting it
  • Accept an incoming message and then generate an NDR (non-delivery report)
This difference is subtle but very important.

Before delving into details, it is important to understand how emails go from one server to another. By design emails hop from one SMTP server to another before reaching its final destination. Additionally, the current email system is designed to mimic our regular snail mail system. Note the following features that are common in both snail mail and email delivery systems:
  • Actual letters are enclosed inside an envelope that contains the sender's and recipient's address. 
  • If the recipients address is invalid, the package is sent back to the sender's address
  • When talking about snail mail, you have two options if you get a package for a person who does not live in your household: 
    1. Give a list of people who live in your house and tell the mailman to return the package if the package does not belong to anyone who lives there.
    2. Let the mailman deliver the package and at a later time you go back to the post office and ask them to send it back
    Same concept applies for email:
    1. First option is to reject any incoming email sent to invalid user before accepting the actual email
    2. Or, accept the message and then generate an NDR because user does not exist.
Now let's talk a bit more about emails. The following lines display an example communication between the sender's and recipient's SMTP server. This communication is called the SMTP Envelope. Requests sent by the sender are denoted by an S --> and response sent by the recipient is denoted by R <-- to indicate direction.

1  - S --> HELO mail.senderdomain.com
2  - R <-- 250-127.0.0.1. Please to meet you
3  - S --> MAIL FROM: <jack@xyz.com>
4  - R <-- 250 OK
5  - S --> RCPT TO:<adam@yourcompany.com>
6  - R <-- 250 OK
7  - S --> DATA
8  - R <-- 354 Start mail input;
9  - R <-- 250 2.6.0 Queued mail for delivery
10 - S --> QUIT
10 - R <-- 221 Good bye.
Line number 5 is the most important line, where the sender asks to send an email to adam@yourcompany.com. The actual email body is sent between line number 8 and 9.

Two options In detail

Considering the example above and assuming adam@yourcompany.com is not a valid user, your SMTP server has two options:

Option 1 The first option is to send an error code at line number 6, which is a response to the RCPT TO line. In this case, communication will abort and the DATA will never be sent.
Option 2 Second option is to accept the message all the way and then generate an NDR if the recipient is not found.

Why is Option 1 better

Option 1 is better for several reasons:

  • Less traffic. You could potentially reduce up to 60% traffic to your email server by simply rejecting emails destined for invalid users.
  • Responsibility of generating an NDR now lies on the sender's SMTP server. NDRs are generated by the SMTP server that accepts an email. Since your server never accepted the message, it is not your responsibility to generate an NDR.
  • You will not become a victim of Reverse NDR attack.





Created on: 1/5/17 1:22 PM
Last updated on: 1/5/17 2:34 PM