Re: SMTP server account probing

[frankm () BEND OR US (Frank Miller)]

The following is from the company (earthonline.com) that wrote the
commerical software
that performed the dictionary attack against MTA's.  I do have copies of the
software
and can generate a list of 'hard coded' ISP's that were probed, if desired.

Dear ISP and Fellow Internet User,

      GeoList Professional has been removed from the
      Earthonline Product Line.

      If used as it was intended, this product would
      have created email address lists that would
      have proven highly targeted to a specific state
      or region.

      Although GeoList is only one of many different
      programs that verify state related email
      addresses on the market, we find it appropriate
      for the good of the Internet Community, that we
      pull this product from our shelves.

      GeoList was designed for the individual or
      business looking for a target market in
      specific states or regions. Initially this
      program was developed for an online political
      campaign. The candidates campaign staff
      requested the ability to target their specific
      region. GeoList, utilized in this market,
      proved effective; for this reason Earthonline
      released it as a targeted lead generation
      product.

      The subsequent mis-use of GeoList Professional
      by certain companies and individuals has
      reportedly made it difficult on the ISPs. As
      GeoList validates a list of user names and
      matches them with email addresses in the given
      state, it was our intent to target email
      addresses for any give "region specific"
      campaign.

      It is undetermined how end-users were using
      this product. However, we have had reports of
      customers using this product as a non-targeted
      spam list collection tool. Earthonline stands
      behind targeted email notification and
      solicitation of targeted lead lists. However,
      we do not condone or promote spam as a way to
      market products or services. Our products are
      intended as a cost effective way for companies
      and organizations to email their customers, and
      clients, with new product offerings, updates,
      and/or informative news.

      GeoList Professional has reportedly been used
      "not as intended" - and although we could limit
      the sales of the product to certain individuals
      and companies, we choose not to sensor those
      customers of our products. However, with
      reports of how the GeoList product is being
      used; It is our decision to make GeoList a
      discontinued product as of March 08, 1999.

      As the technology within GeoList is not
      proprietary to Earthonline, the discontinuation
      of this product will not be the discontinuation
      of other products in the marketplace that
      promote similar functionality.

      If you should have direct questions, or
      comments regarding this notice, email to:


      info () earthonline com


      - Earthonline Administration

> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ () netspace org]On Behalf Of Brett Glass
> Sent: Monday, March 08, 1999 11:13 AM
> To: BUGTRAQ () netspace org
> Subject: SMTP server account probing
>
>
> Several ISPs throughout the Net are reporting an attack described at
>
> http://www.l8r.com/nwa/nwa1.htm
>
> In this attack, an SMTP server is probed for common names, presumably
> so that spam can the be targeted at them. The attacking machine
> connects and issues hundreds of RCPT TO: commands, searching a long
> list of common user names (e.g. susan) for ones that don't cause
> errors. It then compiles a list of target addresses to spam.
>
> Unfortunately, the attack -- besides allowing the perpetrator to spam
> users -- also brings SMTP servers to their knees. This happens most
> often if the server maintains lists of user names in a database where
> looking up a name requires substantial disk activity or computational
> overhead.
>
> Some people whose domain names have been hard-coded into a commercial
> program designed to implement this attack have responded with outrage,
> e.g.
http://www.junk.org/earthonline/

I'm surprised that I haven't seen this one on the Bugtraq list yet.

--Brett Glass