Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SMTP server account probing

From: jem () LAINET COM (John E. Martin)
Date: Tue, 9 Mar 1999 09:36:04 -0800


In this attack, an SMTP server is probed for common names, presumably
so that spam can the be targeted at them. The attacking machine
connects and issues hundreds of RCPT TO: commands, searching a long
list of common user names (e.g. susan) for ones that don't cause
errors. It then compiles a list of target addresses to spam.


This is a good reason for sendmail users to add the following to their .cf
files:


O PrivacyOptions=goaway


This will prevent VRFY and EXPN commands from functioning at all and
releasing correct addresses.


Unfortunately, the attack -- besides allowing the perpetrator to spam
users -- also brings SMTP servers to their knees. This happens most
often if the server maintains lists of user names in a database where
looking up a name requires substantial disk activity or computational
overhead.


While the 'goaway' option may not prevent the program from continuing to
verify addresses, it will keep your users address from being picked up by
the program.

Perhaps someone with better sendmail experience could come up with an idea
to automatically disconnect connections that are issuing more than 25 VRFY
statements at a time?

Cheers,
John E. Martin
Previous By Date Next
Previous By Thread Next

Current thread: