Re: Discovering users by RCPT TO

From: Jay D. Dyson (jdyson_at_treachery.net)
Date: 01/14/05

  • Next message: Tyler Markowsky: "RE: Sample Risk Assessment Report" 
    Date: Thu, 13 Jan 2005 15:31:57 -0800 (PST)
To: Penetration Testers <pen-test@securityfocus.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    On Thu, 13 Jan 2005, Chris Buechler wrote:

    > > > Is this ok or is it information disclousure? Is there any way to fix
    > > > it? It is Sendmail...
    > >
    > > That's a common practice.
    >
    > Though not necessarily a good idea.

             All very true. And it should be noted that some MTAs (such as
    Qmail) give no indication on whether a RCPT TO is valid at all. This is
    considered preferable by most folks, since it doesn't give away any
    information on existing users, though some of the older anti-relay scripts
    will erroneously interpret such MTA behavior as being indicative of an
    open relay.

             But to the point, there are ways of mitigating such harvesting of
    information. You may find the following article on RCPT TO throttling
    with Berkeley Sendmail of particular interest.

             http://www.samag.com/documents/s=8920/sam0311k/0311k.htm

    > Yes, it solves that problem, but also allows spammers to brute force a
    > list of valid email addresses.
    <snip>
    > I'd recommend disabling it unless you get flooded by such spam attacks.

             In my experience, spammers have ceased even operating under the
    pretense that they care if a message will bounce. In the past six months
    alone, I've seen over 15,000 internal bounces due to spammers engaged in
    address carpet-bombing. I've seen everything from "aaaaaaaa@domain" to
    "zxzxzxzxzx@domain". Not one canonical stone left unturned.

             Anyway, check out the RCPT TO throttling as that may be of some
    use. But don't sweat the information disclosure too much if there's
    nothing seriously sensitive on the system. These days, it's easy enough
    generating a list of e-mail addresses just by surveying personal web pages
    and converting domain.tld/~user to user@domain.tld.

    - -Jay

        ( ( _______
        )) )) .-"There's always time for a good cup of coffee"-. >====<--.
      C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-'
       `--' `--' `------- I am NOT lost! I'm...exploring. -------' `------'

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.6 (TreacherOS)
    Comment: See http://www.treachery.net/~jdyson/ for current keys.

    iD8DBQFB5wUFBYoRACwSF0cRAhApAJ47OF9nF9WoEu7eYQF1e9aUwtjl6ACfZLum
    5N+0J9qgFfycsThjecDyJgQ=
    =zFlH
    -----END PGP SIGNATURE-----

  • Next message: Tyler Markowsky: "RE: Sample Risk Assessment Report"