
The 100% correct way to validate email addresses - beefhash
https://medium.com/hackernoon/the-100-correct-way-to-validate-email-addresses-7c4818f24643
======
elmerfud
I apparently have an email address that people either mistype often or put in
thinking it is funny/bogus. I'm for this idea of sending an activation email
to verify it, but not just a simple activation email it needs to have a few
features in it.

First, it needs to not contain any personal information because why would you
send personal info to address that's not verified. Next, verification should
be more than clicking the link or typing a code. I should have to click the
link or enter the code on the browser that I've already logged in with.
There's major sites that don't do this and I've been able to verify, then
reset the password to someone's account. Basic security thought process needs
to go in to this chain of events to verify an email that can reset passwords.
Finally there needs to be a link to indicate that it's a wrong email. There's
spam places that use this to capture emails, but when big names don't offer
this feature it boggles the mind.

------
ordu
As I understand, the goal of validating e-mail syntactically, is a defense
against various attacks based on injection of malicious data/code. One wants
to restrict what might be entered by a user, to forbid something like
"hello@example.com; sh -c sudo rm -rf /* &;". Or maybe strings which interfere
with SMTP to send spam mail from site address.

Such a validation have to occur at some point before SMTP commands have been
written into smtp-socket. If underlying code to send an email is safe against
invalid email addresses, then there are no much reason to validate address
before passing it to underlying code, but this safety could be reached only by
validating address by underlying code.

