Re: Discovering users by RCPT TO

[GuidoZ <uberguidoz () gmail com>]

[snip]
> Testing for Open Relay, I realized that the server answers different to
> existing users and non-existing users, when trying to deliver mails using
> RCPT TO:

Interesting. It wouldn't be hard to make a Perl script (or other) that
logs into the SMTP server, then runs through a list of predefined
users to test and see if they have an account. I would call it
information disclosure for sure.

As for how to fix it, I don't know that you can. It's part of the
protocol to answer to RCPT TO. What version of Sendmail? In the more
recent versions, you can alter the text that is displayed there...
maybe change it all to something like "I'll try that address" for
both.

--
Peace. ~G


On Wed, 12 Jan 2005 20:42:04 +0000, Andres Molinetti
<andymolinetti () hotmail com> wrote:
> I'm currently over a pen-test and I have found that their SMTP Server
> (SendMail) does not have VRFY or EXPN methods available, which was the most
> probably thing to happen taking into account the server has been through
> some hardening before.
>
> Testing for Open Relay, I realized that the server answers different to
> existing users and non-existing users, when trying to deliver mails using
> RCPT TO:
>
> E.g:
>
> rcpt to: asdfasdf@domain
> 550 5.1.1 asdfasdf@domain... User unknown
> rcpt to: bin@domain
> 250 2.1.5 bin@domain... Recipient ok
> rcpt to: nobody@domain
> 250 2.1.5 nobody@domain... Recipient ok
> rcpt to: oper@domain
> 550 5.1.1 oper@domain... User unknown
> rcpt to: root@domain
> 250 2.1.5 root@domain... Recipient ok
>
> Is this ok or is it information disclousure? Is there any way to fix it? It
> is Sendmail...
>
> Thanks in advance,
>
> Andres Molinetti
> CISSP
>
> _________________________________________________________________
> Acepta el reto MSN Premium: Protección para tus hijos en internet.
> Descárgalo y pruébalo 2 meses gratis.
> http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil