Hacker News new | ask | show | jobs
by jsjohnst 3331 days ago
Wouldn't a similarly effective method be to script SMTP and see which ones get rejected as envelope to addresses?
2 comments
smnscu 3331 days ago
Sure, but I imagine there is some form of rate limiting on that, whereas the point of the article is that they found an endpoint without rate limits.
link
jsjohnst 3329 days ago
There might be a rate limit, but it's definitely possible to use this method and get higher than the ~40k a day that the author attained.
link
arpa 3331 days ago
No, google SMTP accepts the RCPT TO with 250 "I'll try my best" regardless of the existence of the email.
link
tyingq 3331 days ago
Nope, it doesn't do that.

  >RCPT TO: <someaccountthatdoesnotexist@gmail.com>
  550-5.1.1 The email account that you tried to reach does not exist. Please try
  550-5.1.1 double-checking the recipient's email address for typos or
  550-5.1.1 unnecessary spaces. Learn more at
  550 5.1.1  https://support.google.com/mail/?p=NoSuchUser j63si2824869ybj.160 - gsmtp
  >RCPT TO: RCPT TO: <john.baker@gmail.com>
  250 2.1.5 OK j63si2824869ybj.160 - gsmtp
link
arpa 3331 days ago
Ah! You're right, my bad, I was thinking about VRFY command!
link