Re: Discovering users by RCPT TO
From: GuidoZ (uberguidoz_at_gmail.com)
Date: 01/13/05
- Previous message: Don Bailey: "Re: Windows based DoS Tools?"
- In reply to: Andres Molinetti: "Discovering users by RCPT TO"
- Next in thread: Martin Fallon: "Re: Discovering users by RCPT TO"
- Reply: Martin Fallon: "Re: Discovering users by RCPT TO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Jan 2005 18:50:03 -0800 To: Andres Molinetti <andymolinetti@hotmail.com>
[snip]
> Testing for Open Relay, I realized that the server answers different to
> existing users and non-existing users, when trying to deliver mails using
> RCPT TO:
Interesting. It wouldn't be hard to make a Perl script (or other) that
logs into the SMTP server, then runs through a list of predefined
users to test and see if they have an account. I would call it
information disclosure for sure.
As for how to fix it, I don't know that you can. It's part of the
protocol to answer to RCPT TO. What version of Sendmail? In the more
recent versions, you can alter the text that is displayed there...
maybe change it all to something like "I'll try that address" for
both.
-- Peace. ~G On Wed, 12 Jan 2005 20:42:04 +0000, Andres Molinetti <andymolinetti@hotmail.com> wrote: > I'm currently over a pen-test and I have found that their SMTP Server > (SendMail) does not have VRFY or EXPN methods available, which was the most > probably thing to happen taking into account the server has been through > some hardening before. > > Testing for Open Relay, I realized that the server answers different to > existing users and non-existing users, when trying to deliver mails using > RCPT TO: > > E.g: > > rcpt to: asdfasdf@domain > 550 5.1.1 asdfasdf@domain... User unknown > rcpt to: bin@domain > 250 2.1.5 bin@domain... Recipient ok > rcpt to: nobody@domain > 250 2.1.5 nobody@domain... Recipient ok > rcpt to: oper@domain > 550 5.1.1 oper@domain... User unknown > rcpt to: root@domain > 250 2.1.5 root@domain... Recipient ok > > Is this ok or is it information disclousure? Is there any way to fix it? It > is Sendmail... > > Thanks in advance, > > Andres Molinetti > CISSP > > _________________________________________________________________ > Acepta el reto MSN Premium: Protección para tus hijos en internet. > Descárgalo y pruébalo 2 meses gratis. > http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_proteccioninfantil > >
- Previous message: Don Bailey: "Re: Windows based DoS Tools?"
- In reply to: Andres Molinetti: "Discovering users by RCPT TO"
- Next in thread: Martin Fallon: "Re: Discovering users by RCPT TO"
- Reply: Martin Fallon: "Re: Discovering users by RCPT TO"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
