Re: ESMTP service

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2007-12-25 Sun Z wrote:
> One security issue would be that the SMTP service has commands to
> ennumerate users of the machine

Wrong. SMTP provides commands to verify (not enumerate) a given address,
or to expand a given mailing list address to its members. In any case
you are dealing with mailboxes, not users. Mailboxes don't necessarily
represent user accounts on that machine.

The VRFY command can be turned off on most SMTP servers, too.

> which can be used in brute force attempts, FTP and SSH for example.

FTP should've died a long time ago, and there are better ways to secure
SSH from brute force attacks than hiding login names. Public key
authentication comes to mind.

Besides, users' login names can usually be guessed most easily anyway,
so they shouldn't be considered a secret in the first place.

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq