[snip]
Testing for Open Relay, I realized that the server answers different to
existing users and non-existing users, when trying to deliver mails using
RCPT TO:
Interesting. It wouldn't be hard to make a Perl script (or other) that
logs into the SMTP server, then runs through a list of predefined
users to test and see if they have an account. I would call it
information disclosure for sure.
As for how to fix it, I don't know that you can. It's part of the
protocol to answer to RCPT TO. What version of Sendmail? In the more
recent versions, you can alter the text that is displayed there...
maybe change it all to something like "I'll try that address" for
both.
--
Peace. ~G
On Wed, 12 Jan 2005 20:42:04 +0000, Andres Molinetti
<andymolinetti@hotmail.com> wrote:
I'm currently over a pen-test and I have found that their SMTP Server
(SendMail) does not have VRFY or EXPN methods available, which was the most
probably thing to happen taking into account the server has been through
some hardening before.
Testing for Open Relay, I realized that the server answers different to
existing users and non-existing users, when trying to deliver mails using
RCPT TO:
E.g:
rcpt to: asdfasdf@domain
550 5.1.1 asdfasdf@domain... User unknown
rcpt to: bin@domain
250 2.1.5 bin@domain... Recipient ok
rcpt to: nobody@domain
250 2.1.5 nobody@domain... Recipient ok
rcpt to: oper@domain
550 5.1.1 oper@domain... User unknown
rcpt to: root@domain
250 2.1.5 root@domain... Recipient ok
Is this ok or is it information disclousure? Is there any way to fix it? It
is Sendmail...
Thanks in advance,
Andres Molinetti
CISSP
_________________________________________________________________
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.
http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil
