From: Bassett, Mark (Mark.Bassett@owh.com)
Date: Fri Jan 14 2005 - 14:17:07 EST
A better way of doing an "authorized user list", is to accept mail for
every address at your domain, but toss it into the bit bucket if it's
not a valid recipient. The major difference being that you accept the
message regardless, it just never gets delivered. Lots of anti-spam
products provide this ability. Ciphertrust Ironmail, and Clearswift
MimeSweeper are both anti-spam vendors that do this that I can think of
offhand.
Mark Bassett
Firewall Administrator
Omaha World Herald
-----Original Message-----
From: Vince Hoang [mailto:vince@litrium.com]
Sent: Thursday, January 13, 2005 5:20 PM
To: pen-test@securityfocus.com
Subject: Re: Discovering users by RCPT TO
On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
> I'd recommend disabling it unless you get flooded by such spam
> attacks. I would probably consider it unnecessary information
> disclosure, depending on the environment and reason (if any)
> for doing it that way.
Some MTAs allow permit you to drop the session after a certain
number of failures, but that only slows down the dictionary
attacks.
You cannot disable RCPT TO because that is how the SMTP protocol
designates the recipients.
-Vince
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:13 EDT