Re: Pentesting Openmail Web login

From: Bojan Zdrnja (bojan.zdrnja@gmail.com)
Date: Fri May 25 2007 - 20:02:13 EDT

• Next message: Morgan Reed: "Re: Most Successful Exploits/Tools to use against windows & Linux?"
• Previous message: Pranay Kanwar: "RE: Private IP address with yahoo messenger"
• In reply to: Marco Ivaldi: "RE: Pentesting Openmail Web login"
• Next in thread: pagvac: "Re: Pentesting Openmail Web login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 5/25/07, Marco Ivaldi <raptor@mediaservice.net> wrote:
> On Thu, 24 May 2007, Clemens, Dan wrote:
>
> > The use of SMTP command may help you - expn or vrfy will help you in
> > enumerating accounts.
>
> Sometimes, such as in this example, system users are leaked; sometimes
> only email addresses can be recovered. In some situations, the latter may
> be considered "a feature, not a bug" (tm), as for instance it helps to
> keep a lower resource usage on servers heavily targeted by spam. YMMV.

It's all about balancing things, as always in security.

Regarding recovering e-mail addresses - it is a feature and it is
*definitely* NOT a bug. In fact, I would strongly recommend anyone not
doing this to start doing it.

The main problem here is that if you don't reject this e-mail in the
SMTP session then, according to the RFC, you MUST send a bounce back
(since you accepted that e-mail).

Now, regarding e-mail address harvesting, the attacker can harvest
them anyway if they setup a valid mailbox that was used as the
envelope sender (they'll receive the bounce anyway) but your server
had to send the bounce back which, in case of spam floods, can result
in backscatter. Exchange servers are notorious for this (they accept
everything and anything and then send bounces back).

Sure, you can configure your server not to send anything back but then
you are breaking the RFC(s) and you risk legitimate users not
receiving notifications when they mistyped a valid address.
You could possibly implement some thresholds and limit bounces, but
personally I don't see any benefit from this (especially since today
spammers brute force addresses anyway and just send millions of spam
without caring if it gets delivered or not).

Cheers,

Bojan

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

• Next message: Morgan Reed: "Re: Most Successful Exploits/Tools to use against windows & Linux?"
• Previous message: Pranay Kanwar: "RE: Private IP address with yahoo messenger"
• In reply to: Marco Ivaldi: "RE: Pentesting Openmail Web login"
• Next in thread: pagvac: "Re: Pentesting Openmail Web login"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:50 EDT