Bugtraq mailing list archives
NTmail and VRFY
From: georger () NLS NET (George)
Date: Tue, 30 Nov 1999 06:25:31 -0500
Aleph, for some reason this didn't seem to make it the first time so I'm resubmitting. If you were holding up on releasing it while checking with Gordano then just trash this copy. Before I begin, I posted this to Gordano's mail list for NTmail this morning (11/29/99), but despite it being posted I can't seem to even get a reaction out of anyone over there. They have enough traffic and posts that I would have hoped to at least get someone to confirm this but I guess they don't consider this important. I would appreciate it if anyone here can verify this and if you find a solution please let me know. For those of you running NTmail version 4 or 5 In the configuration screens there is an option on the ESMTP settings to turn the VRFY command off. I had my mail servers set that way knowing in my heart that VRFY is then disabled. Well today I'm running David's CIS.EXE program and low and behold it shows me that my mail servers have VRFY turned ON!! What does this mean you ask? Well the spammers use scripts to harvest email addresses, these scripts basically run a brute force "attack" on a mail server trying a dictionary of common email addresses to see if they exist, they harvest the ones they can confirm as active. With the vrfy command enabled it makes this incredibly easy, here is a sample session: J:\>netcat mail.gordano.com 25 220 mail.net-shopper.co.uk NTMail (v5.01.0003/AB0000.00.719cfeeb) ready for ESMTP transfer vrfy johns 250 johns () net-shopper co uk <johns () net-shopper co uk>. vrfy postmaster 250 postmaster () net-shopper co uk <postmaster () net-shopper co uk>. vrfy xxxxx 557 String does not match anything. as you can see, the mail server happily tells them not only when they hit an active account but it gives them the domain name making it very easy to write a single script that can be used against ALL NTmail 4 or 5 servers for email address harvesting. Geo.
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Re: WordPad/riched20.dll buffer overflow pedward () WEBCOM COM (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Gerardo Richarte (Nov 24)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)