Last year we covered about Yahoo releasing inactive Yahoo IDs and making them available for new users. Microsoft, too, has been recycling inactive Outlook.com email accounts. However the act of releasing inactive IDs has raised concerns of intruders using deleted accounts as an easy corridor to enter third party accounts like Facebook that are connected to various email services.
Often email accounts are used for confirming user name or password change requests and hence could lead to a compromise in personal information and loss of data. Also with the same email address being now allotted to the same user, information intended for its previous owner may still continue to be received at the same address.
In a welcomed move, teams from Facebook and Yahoo have developed a new method to handle recycled email addresses securely. This new method called as RRVS (Require-Recipient-Valid-Since), inserts a header within an email message that include the date since the sender has known the recipient’s address. Thus an email service provider like Yahoo can then investigate if the receiving account has changed owners since the date specified in the header, and in case there is a change in the ownership, Yahoo can just drop the message, preventing delivery of sensitive messages to the wrong hands.
RRVS (Require-Recipient-Valid-Since) is defined as a part of an extension to the Simple Mail Transfer Protocol (SMTP) to provide a method for senders to indicate to receivers a point in time when the ownership of the target mailbox was known to the sender. This can be used to detect changes of mailbox ownership and thus prevent mail from being delivered to the wrong party, says Facebook.
The defined header here is called as “Require-Recipient-Valid-Since” that can be used to tunnel the request through servers that do not support the extension.
