Re: Discovering users by RCPT TO

From: Jay D. Dyson (jdyson@treachery.net)
Date: Thu Jan 13 2005 - 18:31:57 EST

• Next message: Tyler Markowsky: "RE: Sample Risk Assessment Report"
• Previous message: Todd Towles: "RE: Creating a Custom Trojan after Social Engineering"
• In reply to: Chris Buechler: "Re: Discovering users by RCPT TO"
• Next in thread: Vince Hoang: "Re: Discovering users by RCPT TO"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 13 Jan 2005, Chris Buechler wrote:

> > > Is this ok or is it information disclousure? Is there any way to fix
> > > it? It is Sendmail...
> >
> > That's a common practice.
>
> Though not necessarily a good idea.

         All very true. And it should be noted that some MTAs (such as
Qmail) give no indication on whether a RCPT TO is valid at all. This is
considered preferable by most folks, since it doesn't give away any
information on existing users, though some of the older anti-relay scripts
will erroneously interpret such MTA behavior as being indicative of an
open relay.

         But to the point, there are ways of mitigating such harvesting of
information. You may find the following article on RCPT TO throttling
with Berkeley Sendmail of particular interest.

         http://www.samag.com/documents/s=8920/sam0311k/0311k.htm

> Yes, it solves that problem, but also allows spammers to brute force a
> list of valid email addresses.
<snip>
> I'd recommend disabling it unless you get flooded by such spam attacks.

         In my experience, spammers have ceased even operating under the
pretense that they care if a message will bounce. In the past six months
alone, I've seen over 15,000 internal bounces due to spammers engaged in
address carpet-bombing. I've seen everything from "aaaaaaaa@domain" to
"zxzxzxzxzx@domain". Not one canonical stone left unturned.

         Anyway, check out the RCPT TO throttling as that may be of some
use. But don't sweat the information disclosure too much if there's
nothing seriously sensitive on the system. These days, it's easy enough
generating a list of e-mail addresses just by surveying personal web pages
and converting domain.tld/~user to user@domain.tld.

- -Jay

    ( ( _______
    )) )) .-"There's always time for a good cup of coffee"-. >====<--.
  C|~~|C|~~| (>----- Jay D. Dyson -- jdyson@treachery.net -----<) | = |-'
   `--' `--' `------- I am NOT lost! I'm...exploring. -------' `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFB5wUFBYoRACwSF0cRAhApAJ47OF9nF9WoEu7eYQF1e9aUwtjl6ACfZLum
5N+0J9qgFfycsThjecDyJgQ=
=zFlH
-----END PGP SIGNATURE-----

• Next message: Tyler Markowsky: "RE: Sample Risk Assessment Report"
• Previous message: Todd Towles: "RE: Creating a Custom Trojan after Social Engineering"
• In reply to: Chris Buechler: "Re: Discovering users by RCPT TO"
• Next in thread: Vince Hoang: "Re: Discovering users by RCPT TO"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT