Re: [Full-disclosure] Re: User Enumeration Flaw

From: Michael Holstein <michael.holstein@xxxxxxxxxxx>
Date: Tue, 21 Feb 2006 08:26:47 -0500

That's called directory harvesting and it's hardly new. Most MTAs implement tarpitting of some sort, to limit VRFY or RCPT commands from a perticular IP to a certian threshold, before they start slowing them down.

There are also ways to silently drop (or accept with routing to /dev/null) a session for a recipient that isn't in an external database (eg: LDAP) -- and while this breaks the RFC, people do it anyway.

Ever looked at a Hotmail spam message? There will be 50 recipients ..

gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real and get rejected. Those that don't come back get added as "valid" for the second round.

~Mike.

Dave Korn wrote:

Mar.Shatz@xxxxxxxxxxxxxxxx wrote:

whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov
noone@box:~$
noone@box:~$ telnet mailhub-wh2.whitehouse.gov 25
Trying 63.161.169.140...
Connected to mailhub-wh2.whitehouse.gov.
Escape character is '^]'.
220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
(EST) helo jojo
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
you mail from:bob@xxxxxxx
250 2.1.0 bob@xxxxxxxxxx Sender ok
rcpt to:gbush@xxxxxxxxxxxxxx
550 5.1.1 gbush@xxxxxxxxxxxxxxxxx User unknown
rcpt to:president@xxxxxxxxxxxxxx
250 2.1.5 president@xxxxxxxxxxxxxxxxx Recipient ok
quit
221 2.0.0 esgeop03.whitehouse.gov closing connection
Connection closed by foreign host.

User enumeration at the whitehouse

Tell DHS at once! What would happen if Al-Qaeda could figure out that there was a president in the whitehouse?

cheers,
DaveK

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] User Enumeration Flaw
  - From: Mar . Shatz
- [Full-disclosure] Re: User Enumeration Flaw
  - From: Dave Korn

Prev by Date: Re: [Full-disclosure] Quarantine your infected users spreading malware
Next by Date: Re: [Full-disclosure] Compromised hosts lists
Previous by thread: Re: [Full-disclosure] Re: User Enumeration Flaw
Next by thread: [Full-disclosure] new linux malware
Index(es):
- Date
- Thread

Relevant Pages

Re: using telnet to send emails
... rcpt to: smoot@xxxxxxx ... 250 2.1.5 smoot@xxxxxxxxxx Recipient ok ... Connection closed by foreign host. ...
(Ubuntu)
[Full-disclosure] Re: User Enumeration Flaw
... 550 5.1.1 gbush@xxxxxxxxxxxxxxxxx User unknown ... rcpt to:president@xxxxxxxxxxxxxx ... Connection closed by foreign host. ... User enumeration at the whitehouse ...
(Full-Disclosure)
Re: TCPIP V5.4, SMTP & non-existant users
... > clean out the mail files every day or two (and I had to write a ... RCPT TO: antinode.orgsms@antinode.org ... Recipient OK ... Invalid names longer than 12 characters are OK. ...
(comp.os.vms)
Re: Invalid RCPT TO: list
... formatted recipient list, so I think you are confusing two logs. ... You said you saw outbound logs with correct RCPT TO commands; ... I am saying that an MTA may indeed "massage" misformatted inbound ...
(microsoft.public.inetserver.iis.smtp_nntp)
Re: way to check an email without sending it??
... Telnet to the service and start a SMTP transaction, ... Connection closed by foreign host. ... If you don't get a rejection after the "rcpt to:" line, ... Gary Kline kline@xxxxxxxxxxx http://www.thought.org Public Service Unix ...
(freebsd-questions)