I have not been using Recipient Verification because I did not want to permit directory harvesting by spammers, although I did not have the tools to quantify the problem. I suspected that recipient verification failure data might be a useful tool for identifying spam sources, but had not tried to do so.
Recently, I completed work on an API script (in Python), to perform recipient verification checks from my inbound gateway (SmarterMail + Declude) to my SmarterMail mail server. Since this check is performed by Declude, after the SMTP session is closed, messages with at least one deliverable recipient will proceed normally, while messages with no deliverable recipients are blocked. The results surprised me:
57% of all incoming messages are for undeliverable accounts, and this includes:
- 83% of messages that were blocked on other criteria,
- 66% of messages that were quarantined on other criteria, and
- 40% of messages that were otherwise allowed.
These numbers include some messages from legitimate correspondents to terminated employees, but the vast majority is just spam.
This data confirmed my suspicion that directory harvesting is a serious threat, and that the SMTP session is not the time to be notifying senders about recipient verification failures. Only some senders are sufficiently trusted to be eligible for recipient verification failure notices, and these will have to be sent as non-delivery notices. Until I have a way to implement that conditional logic, nobody gets any recipient verification failure notices from me.
My API script available on request via private message.