Re: Pentesting Openmail Web login

On 5/25/07, Marco Ivaldi <raptor@xxxxxxxxxxxxxxxx> wrote:
On Thu, 24 May 2007, Clemens, Dan wrote:

> The use of SMTP command may help you - expn or vrfy will help you in
> enumerating accounts.

Sometimes, such as in this example, system users are leaked; sometimes
only email addresses can be recovered. In some situations, the latter may
be considered "a feature, not a bug" (tm), as for instance it helps to
keep a lower resource usage on servers heavily targeted by spam. YMMV.

It's all about balancing things, as always in security.

Regarding recovering e-mail addresses - it is a feature and it is
*definitely* NOT a bug. In fact, I would strongly recommend anyone not
doing this to start doing it.

The main problem here is that if you don't reject this e-mail in the
SMTP session then, according to the RFC, you MUST send a bounce back
(since you accepted that e-mail).

Now, regarding e-mail address harvesting, the attacker can harvest
them anyway if they setup a valid mailbox that was used as the
envelope sender (they'll receive the bounce anyway) but your server
had to send the bounce back which, in case of spam floods, can result
in backscatter. Exchange servers are notorious for this (they accept
everything and anything and then send bounces back).

Sure, you can configure your server not to send anything back but then
you are breaking the RFC(s) and you risk legitimate users not
receiving notifications when they mistyped a valid address.
You could possibly implement some thresholds and limit bounces, but
personally I don't see any benefit from this (especially since today
spammers brute force addresses anyway and just send millions of spam
without caring if it gets delivered or not).

Cheers,

Bojan

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

Relevant Pages

  • Re: why spammers should get death penalty (part 2)
    ... If people running servers feel they just have to send ... L> and only send back the bounce if it isn't spam. ... L> wrote the anti-spam software totally clueless about spam? ...
    (comp.mail.misc)
  • Re: Domain HiJacking by SPAMMERS
    ... we can drop those emails faster than they can bounce. ... Still many ill-informed spam analysers identify our servers as the spammer ... We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, ...
    (Security-Basics)
  • Re: uol.com.br is now banned from this list
    ... If it was a real bounce, it would go back to redhat's ... >> mail system because the envelope sender address for list messages ... >> it up as spam. ... > tie up their servers in the tar pit. ...
    (Fedora)
  • Request for new SMTP
    ... It would be real nice to have a way to not bounce any message. ... Especially since most of the spam uses forged headers etc...the servers ...
    (comp.os.vms)
  • Re: PLUG: PMAS
    ... The state of the art that can be obtained with DNSbsl is> 80% with out a DHCP list, and well into the 90% in spam detection. ... more good mail probably gets lost for other reasons beyond the mail server operator or network administrators control. ... So what DNSbls are you using that generate these higher rates of false positives? ... And most of the mail servers that I have seen allow local customization of the bounce message they send to their internal network users. ...
    (comp.os.vms)