Penetration Testing mailing list archives
Re: Discovering users by RCPT TO
From: "Jay D. Dyson" <jdyson () treachery net>
Date: Thu, 13 Jan 2005 15:31:57 -0800 (PST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 13 Jan 2005, Chris Buechler wrote:
> > Is this ok or is it information disclousure? Is there any way to fix > > it? It is Sendmail...> > That's a common practice. Though not necessarily a good idea.
All very true. And it should be noted that some MTAs (such as Qmail) give no indication on whether a RCPT TO is valid at all. This is considered preferable by most folks, since it doesn't give away any information on existing users, though some of the older anti-relay scripts will erroneously interpret such MTA behavior as being indicative of an open relay.
But to the point, there are ways of mitigating such harvesting of information. You may find the following article on RCPT TO throttling with Berkeley Sendmail of particular interest.
http://www.samag.com/documents/s=8920/sam0311k/0311k.htm
Yes, it solves that problem, but also allows spammers to brute force a list of valid email addresses.
<snip>
I'd recommend disabling it unless you get flooded by such spam attacks.
In my experience, spammers have ceased even operating under the pretense that they care if a message will bounce. In the past six months alone, I've seen over 15,000 internal bounces due to spammers engaged in address carpet-bombing. I've seen everything from "aaaaaaaa@domain" to "zxzxzxzxzx@domain". Not one canonical stone left unturned.
Anyway, check out the RCPT TO throttling as that may be of some use. But don't sweat the information disclosure too much if there's nothing seriously sensitive on the system. These days, it's easy enough generating a list of e-mail addresses just by surveying personal web pages and converting domain.tld/~user to user () domain tld.
- -Jay ( ( _______ )) )) .-"There's always time for a good cup of coffee"-. >====<--. C|~~|C|~~| (>----- Jay D. Dyson -- jdyson () treachery net -----<) | = |-' `--' `--' `------- I am NOT lost! I'm...exploring. -------' `------' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (TreacherOS) Comment: See http://www.treachery.net/~jdyson/ for current keys. iD8DBQFB5wUFBYoRACwSF0cRAhApAJ47OF9nF9WoEu7eYQF1e9aUwtjl6ACfZLum 5N+0J9qgFfycsThjecDyJgQ= =zFlH -----END PGP SIGNATURE-----
Current thread:
- Discovering users by RCPT TO Andres Molinetti (Jan 12)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- Re: Discovering users by RCPT TO Martin Fallon (Jan 13)
- Re: Discovering users by RCPT TO Kiril Todorov (Jan 13)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO Jay D. Dyson (Jan 14)
- Re: Discovering users by RCPT TO Vince Hoang (Jan 14)
- Re: Discovering users by RCPT TO dmz (Jan 14)
- Re: Discovering users by RCPT TO Matan Peled (Jan 15)
- Re: Discovering users by RCPT TO Faisal Khan (Jan 15)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- <Possible follow-ups>
- RE: Discovering users by RCPT TO Bassett, Mark (Jan 15)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
- Re: Discovering users by RCPT TO Tobias Glemser (Jan 20)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
- Re: Discovering users by RCPT TO Marco Ivaldi (Jan 22)