7

Is it possible to determine the creation date of the mail account for the address supplied within the authentication process flow; Or at least determine that the mail account was/was not created the same day as signup (or specifically after confirmation)?

A use case is to flag such accounts for closer scrutiny as part of a risk management system.

What general considerations do you think come into play in approaching this problem?

I imagine that solutions might be specific to different email providers but if I could determine this information for the major ones it's a good place to be.

Would love specific answers in any language or pseudocode assuming this is solvable within ethical principles.

Disclaimer: I have asked this question on Stack Overflow. Some nice person said that email providers would not allow it for privacy reasons. Completely acceptable, but IMHO I think that the age of an email account has little to do with personal privacy. Also there are too many smart people using the stack* forums for me to just lie down and die.

5gon12eder
  • 6,956
  • 2
  • 23
  • 29
Nonso
  • 109
  • 1
  • 1
  • 3
  • 3
    some domains don't have a concept of accounts, mailinator.com has boxes where you can dump email, there just aren't any accounts per se – ratchet freak Mar 21 '14 at 09:31
  • 2
    I'm rather suprised this gets so many downvotes. While the question does show some lack of basic knowledge, it is a valid question IMHO. – sleske Oct 13 '14 at 08:04
  • I think it is a *perfectly* valid question. SMTP does not offer a solution for this problem. This is the most simple valid answer to the question. But apart from that, it would be totally reasonable that a commercial provider of e-mail accounts would offer a web service to query whether an address was registered “today” and it would be equally reasonable to use such per-provider services in an application. Out of privacy concerns, I'm very happy that this does not happen, though. – 5gon12eder Sep 30 '15 at 23:51
  • @5gon12eder such a service would almost certainly be a violation of data protection laws in all EU countries, therefore it is highly unlikely any major player would ever consider implementing such an API. – Jules May 06 '16 at 14:07
  • 2
    @Jules This might be true, at least, I'd wish it would be. But the main point of my comment was that the question is sensible and on-topic. If the answer is “No, it cannot be done because SMTP does not provide a mechanism for it and information privacy legislation in most western countries prohibits offering such a service anyway.”, then that makes a perfectly valid answer for a perfectly valid question. Questions are not bad because the answer is “It cannot / must not be done”. – 5gon12eder May 06 '16 at 14:20

4 Answers4

10

In general, no. SMTP is a protocol with a fixed set of information that can be exchanged, and "How long has this address been active?" is not among that information. (In fact, due to the continuing battle between mail infrastructure providers and spammers, it is getting progressively harder to get reliable answers to the much simpler question "Is this address deliverable?", even though this one is supposed to be answerable.)

That doesn't mean you couldn't find the answer in many cases depending on the details of the entity who is actually providing the ail service. Obviously, if you have control over it yourself, you can query the creation date easily. For public providers, there may be traces of the time when the domain an email uses was registered; many common internet stacks incidentally disclose more information than they are supposed to, and it may be possible to deduce something from that. What probably doesn't exist is a general way that works for all email addresses.

Kilian Foth
  • 107,706
  • 45
  • 295
  • 310
6

There is NO reliable way at all to do what you want.

Why not? Because ultimately you would be relying on information provided to you by 3rd parties. So if a user provides an email adress, you are going to contact the mailhost of said email adress. How can you know that the user is not the server admin of the email server and provides you false information?

You can't.

Pieter B
  • 12,867
  • 1
  • 40
  • 65
  • +1 Such a system would be totally unworkable and unreliable. Note that even if it did work for some service provides, users who wanted to provide a new account to you would simply migrate to the providers that didn't offer a working service. Your "risk management" strategy would therefore only catch people who weren't actively trying to subvert your process. Like DRM, it would be a pain for people with legitimate non-mainstream uses but be no barrier at all for anyone actively interested in avoiding your restrictions. – Jules May 06 '16 at 14:15
1

To 100% be sure when an account was created? No, it can't reliably be done. However, I do use a verification service for ecommerce that incorporates this. They use Rapleaf as the provided, who seem to have the largest network for this type of data. They can only tell you when a user in their network first queried that email, but I'd say they're able to find results about 70% of the time. Combined with other factors about the transaction we find that it makes for an excellent anti-fraud measure. Payment is per query, not subscription based.

SagaciousCetacean
  • 19
  • 1
  • 1
    Presumably this means you would deny service to me because I use a system to generate a new address for each new company I give my details to, so that I can track which ones cause spam messages / have data leaks and cease dealing with them in future? – Jules May 06 '16 at 14:19
  • 1
    We use multiple variables to create an overall risk profile, not just one datapoint. That's very simplistic. If you have a new email in combination with many other risk factors, we might deny you or ask for verification. We also have transaction insurance from our information service, so we generally run that for approval before taking adverse action. – SagaciousCetacean Nov 08 '16 at 05:35
1

You could query WHOIS for the creation date of the domain name. If it was registered today, then the e-mail address must also have been created today.

snips-n-snails
  • 151
  • 5