I reply to this message but consider this as an answer to many of the
last replies.
You are totally out of topic, you are so used to deal with online fraud
that you are founding them even where there aren't.
I'm just searching for improve checks to help a correct data entry.
Anyway, just to be clear at all:
1) the physical address is where the selling agent (employee of our
customer) go to get the signed contract, so it is already verified, it
get also verified with the national energy hub database during our flow
2) the phone number is the number that the end-user left to be contacted
for an appointment so it's already verified
3) the e-mail address is taken with all other user data on the paper
contract (to be specific it's a contract proposal)
4) people ask for this service and wait for the agent at their home,
they give ID documents copy and personal data so they don't insert
presid...@whitehouse.gov or mailinator addresses; there is a person
there that check (at his best) that the e-mail address is written
correctly, that the domain is not @google.com and that the person take
the address from a trust-able source (eg. their device login, or the old
energy invoice).
5) the only very rare cases when the e-mail was wrong was due typo of
the employee
About the fact that we (actually our customer) should not accept a
selling agreement... Every energetic company that pay money to their
dealers in order to get new customers, ask them not to contact their new
customer.
Commercially that's a way to protect their new customers and their
investment but it's also involved with an on-boarding flow that must
follows a specific passages, regulation/laws, ethic code, avoiding to
boring the new customer.
I haven't any knowledge of that flow but I think the digital signing
procedure link is one of the first step and need to be sent by e-mail.
So if the user is not the correct one or the address is not right it
comes to they attention very soon.
So, before say we sign bad agreement, that we need to be blocked, GDPR
is not working etc.
Consider that there's not any abuse and we are just asking in order to
take the right decision.
The recipient verification is clearly not an accepted way so we are not
going to do it.
In these 2 days we developed a mispelled domains blocklist creating a
database mixing variuos mispelled list found in the net.
Again it doesn't reach 100% but it helps.
Let me just say that quite all agreed with domain and MX checking
because it may avoid errors.
But typo may be also in the domain and the wrong domain may exists and
may have an MX so.
There's at all NO difference in checking domain, MX _or the recipient_,
none of these checks give a 0% error result but any of them may help to
get closer to it.
Recipients are not possible to check because other people/company used
it in a wrong way and the VRFY commands is often disabled.
RCPT TO is not accepted and blocked by many operator.
Ok, message received!
But remember we are not trying to spam, spoof or fraud anyone.
Thank you all,
Have nice weekend ;-)
Il 27/06/2025 06:36, Jay Hennigan via mailop ha scritto:
On 6/26/25 10:49, Support 3Hound via mailop wrote:
Our customer is actually testing captainverify.com service (even if
we suggested not to trust these kind of services).
May it (or something similar) be a right/trustable way?
Absolutely not. It might for some degree of accuracy be able to tell
if an address exists. It will have zero reliability in determining
that said address belongs to the entity providing the address.
Let me quickly reply to the answers I got:
Yes, we are in EU and yes, I confirm that the "legal" situation is
clear; in detail:
Data owner: Big electrical company (nominate both our customer and us
as "External Data Processor")
We must follow their instruction present in the agreement: verify the
correctness of the data AND NOT contact the end user.
This is impossible. Anyone can put "presid...@whitehouse.gov" or
"<anything>@mailinator.com" on a form. Both of those exist and are
deliverable, but neither will verify the correctness of the data or
associate the email address to an individual.
OK, the first one will, but it's doubtful that the individual will be
the one filling out your form.
Contacting a mail provider in order to verify the correctness of the
data is in the purpose of the agreement and of the data treatment so
it's not a violation.
Most mail providers won't be interested in assisting you in this. In
fact, most will be vehemently against it.
Contacting the end-user is a violation of both the agreement and
privacy.
Then you need to revise your agreement to allow a single verification
email to actually be delivered, because your agreement as written
simply can't be done.
I never said we want to check in any "hidden/anonymous" way, I don't
know why someone figured it out
Then do it in an open, public way. If you want to confirm their email
address, send them an email. That's how it's done.
It should be a manual process, during the day contracts come to the
office and an employee manually insert data, she should click a
specific button in order to check, no batch process.
Even if VRFY or some other method worked, the only thing you've
accomplished is to show that the address put on the form exists. You
have absolutely zero assurance that the address is in any way related
to the person filling out the form.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
