Websites don’t have an actual check for a legit email… That’s why they send confirmation links to click. Forms check that it ends with @something.something, sometimes they can add filters to not allow anything other than the 20 most popular domains. Or they can block addresses with less than 3 characters, because nobody real has those.
But most forms you can keyboard smash anything@anything.anything. They just might make a temp account until it’s confirmed or something.
You’re partially right, I’d like to add some details: websites can also check if a domain (e.g. example.com) actually exists. So if you smash random letters on your keyboard and you end up with a non-existing domain, a website will be able to stop you from using that address.
More advanced websites also check for an MX record on the domain DNS. If a domain exists but it doesn’t have an MX record, then it’s not going to be able to receive emails and may be blocked in sign up forms.
Edit: not only an MX record, but also an A record, because if no MX record is present, then the mail is sent to the A record as a fallback (even though, in all honesty, I think this is a very uncommon configuration on the modern internet).
Websites don’t have an actual check for a legit email.
Some do. You can connect to an SMTP server and pretend to send an email (send the EHLO, MAIL FROM, and RCPT TO commands, but don’t actually send any content). A lot of servers will immediately reject as soon as you provide an invalid recipient email address.
Of course, that doesn’t work for any domains with a catchall address (where every address at a domain goes to one mailbox), and some SMTP servers don’t reject the email until later (or even just silently ignore emails to invalid addresses) in order to avoid enumeration attacks.
Websites don’t have an actual check for a legit email… That’s why they send confirmation links to click. Forms check that it ends with @something.something, sometimes they can add filters to not allow anything other than the 20 most popular domains. Or they can block addresses with less than 3 characters, because nobody real has those. But most forms you can keyboard smash anything@anything.anything. They just might make a temp account until it’s confirmed or something.
But joeblow@aol.com almost certainly was/is real.
Edit: looks like I was also incorrect!
You’re partially right, I’d like to add some details: websites can also check if a domain (e.g. example.com) actually exists. So if you smash random letters on your keyboard and you end up with a non-existing domain, a website will be able to stop you from using that address.
More advanced websites also check for an MX record on the domain DNS. If a domain exists but it doesn’t have an MX record, then it’s not going to be able to receive emails and may be blocked in sign up forms.
Edit: not only an MX record, but also an A record, because if no MX record is present, then the mail is sent to the A record as a fallback (even though, in all honesty, I think this is a very uncommon configuration on the modern internet).
Wow thank you for the info, I didn’t know they had such advanced lookups.
Some do. You can connect to an SMTP server and pretend to send an email (send the
EHLO,MAIL FROM, andRCPT TOcommands, but don’t actually send any content). A lot of servers will immediately reject as soon as you provide an invalid recipient email address.Of course, that doesn’t work for any domains with a catchall address (where every address at a domain goes to one mailbox), and some SMTP servers don’t reject the email until later (or even just silently ignore emails to invalid addresses) in order to avoid enumeration attacks.
Huh thank you for the more correct information, I didn’t know about those options.