Bugtraq mailing list archives

Re: SMTP server account probing

From: nick () ZETA ORG AU (Nick Andrew)
Date: Wed, 10 Mar 1999 10:08:06 +1100


Forwarding a message from Brett Glass:

Unfortunately, the program was designed to defeat the "goaway" option by
using RCPT TO: commands instead of VRFY commands. What's needed is
the ability to kill the connection after more than two or three recipient
names have generated errors.


Just modify your SMTP daemon to return the appropriate error code for
all RCPT TO requests after #25. They can continue to probe forever but all
probes will return false. It might be a good idea to also put a short
delay into the responses to probes (like 1 second).

If the other end actually tries to send a message after doing all this
probing, route the message to /dev/null (or drop it in a directory for
later examination).

Larger sites may wish to alter the threshold at which defence actions are
initiated.

Nick.
--
Zeta Internet                     SP4   Fax: +61-2-9233-6545 Voice: 9231-9400
G.P.O. Box 3400, Sydney NSW 1043        http://www.zeta.org.au/

Current thread:

SMTP server account probing Brett Glass (Mar 08)
- Re: SMTP server account probing Frank Miller (Mar 09)
- Re: SMTP server account probing John E. Martin (Mar 09)
  - Re: SMTP server account probing Brett Glass (Mar 09)
    - Re: SMTP server account probing Nick Andrew (Mar 09)
    - Re: SMTP server account probing Brian Behlendorf (Mar 09)
  - Re: SMTP server account probing Valdis.Kletnieks () VT EDU (Mar 09)
    - Re: SMTP server account probing Scott Fendley (Mar 09)
    - Re: SMTP server account probing Alexander Bochmann (Mar 10)
    - Re: SMTP server account probing Alan Cox (Mar 09)
  - Re: SMTP server account probing Ryan Permeh (Mar 09)
  - Re: SMTP server account probing Keith Woodworth (Mar 09)
  - Linux Blind TCP Spoofing Security Research Labs (Mar 09)
    - Re: Linux Blind TCP Spoofing John D. Hardin (Mar 09)
  - Winfreeze.c for Solaris ... Max Schubert (Mar 09)

(Thread continues...)