Re: SMTP server account probing

[gvs () RINET RU (GvS)]

Hi there!

On Mon, 8 Mar 1999, Brett Glass wrote:

 BG> In this attack, an SMTP server is probed for common names, presumably
 BG> so that spam can the be targeted at them. The attacking machine
 BG> connects and issues hundreds of RCPT TO: commands, searching a long
 BG> list of common user names (e.g. susan) for ones that don't cause
 BG> errors. It then compiles a list of target addresses to spam.

The most common protection method against this attack is to restrict
the number of recipients per message as defined in sendmail.cf:

O MaxRecipientsPerMessage=NN

It doesn't protect from name probing, but protects from overhead in
conjunction with O ConnectionRateThrottle and O MaxDaemonChildren
options.

 BG> I'm surprised that I haven't seen this one on the Bugtraq list yet.

I do not think it's bugtraq issue really. This attack can easily be
prevented with configuration methods.

SY, Seva Gluschenko, just stranger at the Road.
GVS-RIPE: Cronyx Plus / RiNet network administrator.

--- IRC: erra
 * Origin: Erra Netmale (gvs () rinet ru) [http://gvs.rinet.ru/]