Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Discovering users by RCPT TO

from [Jay D. Dyson] Network Security [Permanent Link]
Subject: Re: Discovering users by RCPT TO
Date: Thu, 13 Jan 2005 15:31:57 -0800 (PST) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Jan 2005, Chris Buechler wrote:

> > Is this ok or is it information disclousure? Is there any way to fix > > it? It is Sendmail...
>
> That's a common practice.

Though not necessarily a good idea.

All very true. And it should be noted that some MTAs (such as Qmail) give no indication on whether a RCPT TO is valid at all. This is considered preferable by most folks, since it doesn't give away any information on existing users, though some of the older anti-relay scripts will erroneously interpret such MTA behavior as being indicative of an open relay.

But to the point, there are ways of mitigating such harvesting of information. You may find the following article on RCPT TO throttling with Berkeley Sendmail of particular interest.

        http://www.samag.com/documents/s=8920/sam0311k/0311k.htm

Yes, it solves that problem, but also allows spammers to brute force a list of valid email addresses.
<snip>
I'd recommend disabling it unless you get flooded by such spam attacks.

In my experience, spammers have ceased even operating under the pretense that they care if a message will bounce. In the past six months alone, I've seen over 15,000 internal bounces due to spammers engaged in address carpet-bombing. I've seen everything from "aaaaaaaa@domain" to "zxzxzxzxzx@domain". Not one canonical stone left unturned.

Anyway, check out the RCPT TO throttling as that may be of some use. But don't sweat the information disclosure too much if there's nothing seriously sensitive on the system. These days, it's easy enough generating a list of e-mail addresses just by surveying personal web pages and converting domain.tld/~user to user@domain.tld.

- -Jay

   (    (                                                        _______
   ))   ))   .-"There's always time for a good cup of coffee"-.   >====<--.
 C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) |    = |-'
  `--' `--'  `------- I am NOT lost!  I'm...exploring. -------'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFB5wUFBYoRACwSF0cRAhApAJ47OF9nF9WoEu7eYQF1e9aUwtjl6ACfZLum
5N+0J9qgFfycsThjecDyJgQ=
=zFlH
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Sample Risk Assessment Report, infosecgod
Next by Date:  DoS/DDoS Attack, Faisal Khan
Previous by Thread:  Re: Discovering users by RCPT TO, Chris Buechler
Next by Thread:  Re: Discovering users by RCPT TO, Vince Hoang
Indexes:  [Date] [Thread] [Top] [All Lists]