Discovering users by RCPT TO
From: Andres Molinetti (andymolinetti_at_hotmail.com)
To: firstname.lastname@example.org Date: Wed, 12 Jan 2005 20:42:04 +0000
I'm currently over a pen-test and I have found that their SMTP Server
(SendMail) does not have VRFY or EXPN methods available, which was the most
probably thing to happen taking into account the server has been through
some hardening before.
Testing for Open Relay, I realized that the server answers different to
existing users and non-existing users, when trying to deliver mails using
rcpt to: asdfasdf@domain
550 5.1.1 asdfasdf@domain... User unknown
rcpt to: bin@domain
250 2.1.5 bin@domain... Recipient ok
rcpt to: nobody@domain
250 2.1.5 nobody@domain... Recipient ok
rcpt to: oper@domain
550 5.1.1 oper@domain... User unknown
rcpt to: root@domain
250 2.1.5 root@domain... Recipient ok
Is this ok or is it information disclousure? Is there any way to fix it? It
Thanks in advance,
Acepta el reto MSN Premium: Protección para tus hijos en internet.
Descárgalo y pruébalo 2 meses gratis.