Re: Discovering users by RCPT TO

From: Chris Buechler (cbuechler_at_gmail.com)
Date: 01/13/05

  • Next message: Martin Fallon: "Re: Discovering users by RCPT TO" 
    Date: Thu, 13 Jan 2005 14:20:12 -0500
To: pen-test@securityfocus.com

    On Thu, 13 Jan 2005 14:04:57 +0200, Kiril Todorov
    <voland@shadowblade.net> wrote:
    <snip>
    > >
    > > rcpt to: asdfasdf@domain
    > > 550 5.1.1 asdfasdf@domain... User unknown
    > > rcpt to: bin@domain
    > > 250 2.1.5 bin@domain... Recipient ok
    > > rcpt to: nobody@domain
    > > 250 2.1.5 nobody@domain... Recipient ok
    > > rcpt to: oper@domain
    > > 550 5.1.1 oper@domain... User unknown
    > > rcpt to: root@domain
    > > 250 2.1.5 root@domain... Recipient ok
    > >
    > > Is this ok or is it information disclousure? Is there any way to fix it?
    > > It is Sendmail...
    > >
    >
    > That's a common practice.

    Though not necessarily a good idea.

    > The main reason is the tons of windows zombie machines, used for
    > spamming at random names @ domain name.
    > All mails are send from fake addresses, so after 2-3 waves of such
    > spamming the mail server's queue gets approximately 30-40K mails.
    > The server is busy sending out bounces to nonexistant addresses.. well
    > you get the picture.
    >

    Yes, it solves that problem, but also allows spammers to brute force a
    list of valid email addresses. I've seen that attempted far more
    times than I've seen machines hammered to death by spam bounces
    filling the queue.

    I'd recommend disabling it unless you get flooded by such spam
    attacks. I would probably consider it unnecessary information
    disclosure, depending on the environment and reason (if any) for doing
    it that way.

    30-40K mails in the queue really shouldn't overwhelm your mail server,
    though I don't use sendmail on any of mine. I've seen 50K+ mails in
    the queue on some of my Qmail and Postfix mail servers for the same or
    similar reasons and they kept chugging along. Not huge boxes either,
    P3's with 512 MB - 1 GB RAM. I guess if you're running a 486 mail
    server with 16 MB RAM that might be a problem though. :)

    -Chris

  • Next message: Martin Fallon: "Re: Discovering users by RCPT TO"

    Relevant Pages

    • messages remain in queue
      ... domain in a single forest. ... The mails remain in the queue. ... After this the submitted mails are back in the queue. ... The connection is made to a unix server with the following ...
      (microsoft.public.exchange.connectivity)
    • RE: messages remain in queue
      ... > The mails remain in the queue. ... > After this the submitted mails are back in the queue. ... > a Sun Fire V1280 Server ... > The support-team of the unix mail server say that the ...
      (microsoft.public.exchange.connectivity)
    • Re: Problems with lots of spam appearing from inet@microsoft.com
      ... the mime theader of these mails. ... Then you add these IPs either to your firewall or to your virtual server ... but I am receiving a new one to the queue every 10 ... > into the same black hole I have setup for any NDR's that come in. ...
      (microsoft.public.exchange.admin)
    • Re: outgoing mails causing bottleneck in smtp que
      ... > we have exchange server 2000 with all latest updates & service packs. ... > we have a problem with outgoing mails, ... > exchange server gets blocked in the smtp queue. ...
      (microsoft.public.exchange2000.general)
    • Re: Mailprobleme: Einkommende Mails werden nicht mehr zugestellt
      ... Domain gehen) zugestellt werden? ... Am ISA 1000 und am Exchange 64000. ... Die Queue wurde immer voller. ... danach wurde die Queue von ca. 1600 auf ca 350 Mails abgebaut. ...
      (microsoft.public.de.german.isaserver)