Yahoo! Announces Help For Senders During Account Transition Recognizing that their plan to reclaim unused usernames and make them available to new users has caused concern about personally identifiable information (PII) leaks among some senders, Yahoo! on July 15 announced in a blog post on their developer website support for a mechanism that will allow senders to take steps to guard against such leaks. With the simple addition of a header to each message, a sender can "ask" Yahoo! to validate whether or not the account to which the message is sent has a new owner. Yahoo! is encouraging "anyone using email to communicate with their users, especially for ecommerce and recovering their accounts, to adopt this measure to ensure the security of their users. How Does It Work? The referenced Yahoo! blog post links to an early draft of an RFC that explains all the details, but it's a fairly simple matter for senders. All they need do is insert a precisely formatted header in their mailings, and they can be as confident as possible that their mail is going to the person for whom it's intended at Yahoo!. The header should be on its own line, and the format looks like this: Require-Recipient-Valid-Since: emailAddress; full timestamp with timezone For example, if a sender has been mailing to the address [email protected] since 7AM US/EST on February 1, 2012, the header would look like this: Require-Recipient-Valid-Since: [email protected]; Wed, 1 Feb 2012 07:00 -05:00 If the message arrives at Yahoo! and the account [email protected] has not been reassigned since the date specified, Yahoo! will apply their normal delivery rules to the message; however, if the account has been reassigned, Yahoo! will reject the message. Handling Rejected Messages It's not entirely clear at this time what error code Yahoo! will return for messages which contain this header. The draft RFC indicates that the expected return code will be this: 550 5.1.6 followed by some text which is the correct return code for this situation, as per RFC 3463. At the time of this writing, it's possible that Yahoo! may stick with their normal bounce code for inactive or unknown accounts: 554 5.0.0 followed by some text as we discussed in this blog post. We believe senders should be prepared for both bounce codes, but will update this as we get more information. Bottom Line For Senders While it's still the responsibility of and the best practice for senders to remove bouncing addresses from their lists and to take further steps to ensure that they're only sending mail to engaged users, we applaud Yahoo! for taking this additional step to help senders clean up their mailing lists. We will petition other mailbox providers to consider supporting this new header (although widespread adoption may take some time, given the differences in system architecture that are out there), but at the same time we encourage senders to take seriously bounce codes that indicate that an address is not valid, and to remove it from their lists so as to avoid any potential problems that may occur from sending mail to accounts that don't belong to the right person. Source http://blog.returnpath.com/blog/todd-herr/yahoo-announces-help-for-senders-during-account-transition
Such functionality has been part of the SMTP protocol for a long time already (minus the date stamp) by using the VRFY command. Unfortunately, that command made it really easy to scan for valid usernames on a particular system so most mail servers don't accept it. This proposed idea could be used the same way, by generating a list of usernames and then attempting to send them to yahoo including this header. Any of the generated usernames that are valid would then be identified, allowing spammers to "create" their own lists using a simple word generator type of script. Instead of using this roundabout method of "validation" Yahoo should just make a downloadable list available to senders so they can scrub their lists before sending.
