Security Basics mailing list archives
Re: ESMTP service
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 27 Dec 2007 12:55:01 +0100
On 2007-12-25 Sun Z wrote:
One security issue would be that the SMTP service has commands to ennumerate users of the machine
Wrong. SMTP provides commands to verify (not enumerate) a given address, or to expand a given mailing list address to its members. In any case you are dealing with mailboxes, not users. Mailboxes don't necessarily represent user accounts on that machine. The VRFY command can be turned off on most SMTP servers, too.
which can be used in brute force attempts, FTP and SSH for example.
FTP should've died a long time ago, and there are better ways to secure SSH from brute force attacks than hiding login names. Public key authentication comes to mind. Besides, users' login names can usually be guessed most easily anyway, so they shouldn't be considered a secret in the first place. Regards Ansgar Wiechers -- "All vulnerabilities deserve a public fear period prior to patches becoming available." --Jason Coombs on Bugtraq
Current thread:
- ESMTP service sisram2 (Dec 24)
- Re: ESMTP service Ansgar -59cobalt- Wiechers (Dec 26)
- Re: ESMTP service Sun Z (Dec 26)
- Re: ESMTP service Ansgar -59cobalt- Wiechers (Dec 27)