RE: Discovering users by RCPT TO

From: Bassett, Mark (Mark.Bassett_at_owh.com)
Date: 01/14/05

  • Next message: Steve Friedl: "Re: DoS/DDoS Attack" 
    Date: Fri, 14 Jan 2005 13:17:07 -0600
To: "Vince Hoang" <vince@litrium.com>, <pen-test@securityfocus.com>

    A better way of doing an "authorized user list", is to accept mail for
    every address at your domain, but toss it into the bit bucket if it's
    not a valid recipient. The major difference being that you accept the
    message regardless, it just never gets delivered. Lots of anti-spam
    products provide this ability. Ciphertrust Ironmail, and Clearswift
    MimeSweeper are both anti-spam vendors that do this that I can think of
    offhand.

    Mark Bassett
    Firewall Administrator
    Omaha World Herald

    -----Original Message-----
    From: Vince Hoang [mailto:vince@litrium.com]
    Sent: Thursday, January 13, 2005 5:20 PM
    To: pen-test@securityfocus.com
    Subject: Re: Discovering users by RCPT TO

    On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
    > I'd recommend disabling it unless you get flooded by such spam
    > attacks. I would probably consider it unnecessary information
    > disclosure, depending on the environment and reason (if any)
    > for doing it that way.

    Some MTAs allow permit you to drop the session after a certain
    number of failures, but that only slows down the dictionary
    attacks.

    You cannot disable RCPT TO because that is how the SMTP protocol
    designates the recipients.

    -Vince

  • Next message: Steve Friedl: "Re: DoS/DDoS Attack"