Bugtraq mailing list archives

Re: SMTP server account probing

From: rrpermeh () RCONNECT COM (Ryan Permeh)
Date: Tue, 9 Mar 1999 15:20:44 -0600


This is a good idea, but the problem with this program is that it acts like
it were sending mail to a user, not using the VRFY command, but the RCPT
to: command, as any normal mail user agent would.

I have been playing around with an idea that would send false rcpt to
errors after a certain number of failures.  This would, at the very least,
not give the program any more information than the first couple rcpt to:,
until a certain number of bad rcpt to:'s happen.

there are other ways of doing this, that are not apporpriate for this use,
that limit the total number of RCPT to:'s accepted.  this can be done (at
least in 8.9.3) using the :
O MaxRecipientsPerMessage
directive in the sendmail.cf file.

Ryan Permeh


At 09:36 AM 3/9/99 -0800, you wrote:

In this attack, an SMTP server is probed for common names, presumably
so that spam can the be targeted at them. The attacking machine
connects and issues hundreds of RCPT TO: commands, searching a long
list of common user names (e.g. susan) for ones that don't cause
errors. It then compiles a list of target addresses to spam.


This is a good reason for sendmail users to add the following to their .cf
files:


O PrivacyOptions=goaway


This will prevent VRFY and EXPN commands from functioning at all and
releasing correct addresses.

Unfortunately, the attack -- besides allowing the perpetrator to spam
users -- also brings SMTP servers to their knees. This happens most
often if the server maintains lists of user names in a database where
looking up a name requires substantial disk activity or computational
overhead.


While the 'goaway' option may not prevent the program from continuing to
verify addresses, it will keep your users address from being picked up by
the program.

Perhaps someone with better sendmail experience could come up with an idea
to automatically disconnect connections that are issuing more than 25 VRFY
statements at a time?

Cheers,
John E. Martin

Ryan R Permeh           E-MAIL: rrpermeh () rconnect com   rrpermeh () resinc net    
IS Engineer                     WEB   : http://www.rconnect.com         http://www.response.net
Rural Connections /   HELP  : help () rconnect com      
Response Inc.           FAQ   : http://www.rconnect.com/help   
                                SALES : sales () rconnect com           sales () resinc net
------------------------------------------------------------
120 First Street NE   PHONE : (507) 281-5005          
Rochester, MN 55906   FAX   : (507) 281-9272

Current thread:

SMTP server account probing Brett Glass (Mar 08)
- Re: SMTP server account probing Frank Miller (Mar 09)
- Re: SMTP server account probing John E. Martin (Mar 09)
  - Re: SMTP server account probing Brett Glass (Mar 09)
    - Re: SMTP server account probing Nick Andrew (Mar 09)
    - Re: SMTP server account probing Brian Behlendorf (Mar 09)
  - Re: SMTP server account probing Valdis.Kletnieks () VT EDU (Mar 09)
    - Re: SMTP server account probing Scott Fendley (Mar 09)
    - Re: SMTP server account probing Alexander Bochmann (Mar 10)
    - Re: SMTP server account probing Alan Cox (Mar 09)
  - Re: SMTP server account probing Ryan Permeh (Mar 09)
  - Re: SMTP server account probing Keith Woodworth (Mar 09)
  - Linux Blind TCP Spoofing Security Research Labs (Mar 09)
    - Re: Linux Blind TCP Spoofing John D. Hardin (Mar 09)
  - Winfreeze.c for Solaris ... Max Schubert (Mar 09)
- Re: SMTP server account probing GvS (Mar 09)
- Re: SMTP server account probing David Gale (Mar 09)
  - Re: SMTP server account probing James Lick (Mar 09)
  - Administrivia Aleph One (Mar 10)
- <Possible follow-ups>
- Re: SMTP server account probing Stefan Monnier (Mar 09)
- Re: SMTP server account probing Jose C. Oon (Mar 09)

(Thread continues...)