Discovering users by RCPT TO

From: Andres Molinetti (andymolinetti_at_hotmail.com)
Date: 01/12/05

  • Next message: Slider Slider: "Creating a Custom Trojan after Social Engineering"
    To: pen-test@securityfocus.com
    Date: Wed, 12 Jan 2005 20:42:04 +0000
    
    

    I'm currently over a pen-test and I have found that their SMTP Server
    (SendMail) does not have VRFY or EXPN methods available, which was the most
    probably thing to happen taking into account the server has been through
    some hardening before.

    Testing for Open Relay, I realized that the server answers different to
    existing users and non-existing users, when trying to deliver mails using
    RCPT TO:

    E.g:

    rcpt to: asdfasdf@domain
    550 5.1.1 asdfasdf@domain... User unknown
    rcpt to: bin@domain
    250 2.1.5 bin@domain... Recipient ok
    rcpt to: nobody@domain
    250 2.1.5 nobody@domain... Recipient ok
    rcpt to: oper@domain
    550 5.1.1 oper@domain... User unknown
    rcpt to: root@domain
    250 2.1.5 root@domain... Recipient ok

    Is this ok or is it information disclousure? Is there any way to fix it? It
    is Sendmail...

    Thanks in advance,

    Andres Molinetti
    CISSP

    _________________________________________________________________
    Acepta el reto MSN Premium: Protección para tus hijos en internet.
    Descárgalo y pruébalo 2 meses gratis.
    http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil


  • Next message: Slider Slider: "Creating a Custom Trojan after Social Engineering"