Full Disclosure mailing list archives
Re: User Enumeration Flaw
From: Valdis.Kletnieks () vt edu
Date: Sat, 18 Feb 2006 18:41:40 -0500
On Sat, 18 Feb 2006 17:03:20 EST, Mar.Shatz () education gov il said:
helo jojo
Lack of a fully qualified domain name.
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet you mail from:bob () com com
mail from:<bob () com com>
250 2.1.0 bob () com com... Sender ok rcpt to:gbush () whitehouse gov
rcpt to:<gbush () whitehouse gov> Their SMTP server would have been totally within its rights to throw a '501 syntax error' due to the lack of < > characters. Given that at this point they have yet to see a command that's correct both syntactically and semantically, and they're still talking to you, they've obviously decided to try to be as helpful as possible, rather than being totally strict hard-asses about it. Of course, they're being self-serving here. They can either give you a '550 user unknown' reply if the mailbox doesn't exist, or they can give you a '250 user OK' and then try to issue a bounce later - and given that at that point we're batting 0 for 3 for correct commands, the chances that the MAIL FROM: will actually work as a bounce destination are slim indeed. So they get to choose between the small information leak that the 250/550 replies create (said information being extractable via *other* means in most cases anyhow), or not allowing the leak and getting stuck with the almost inevitable double bounces that will result. Obviously, they consider the security risk of DoS via flooding of double-bounces to be larger than the risk of leaking information to something that can't get basic SMTP syntax correct...
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- User Enumeration Flaw Mar . Shatz (Feb 18)
- Re: User Enumeration Flaw Simon Smith (Feb 18)
- Re: User Enumeration Flaw Valdis . Kletnieks (Feb 18)
- Re: User Enumeration Flaw Dave Korn (Feb 20)
- Re: Re: User Enumeration Flaw Valdis . Kletnieks (Feb 20)
- Re: Re: User Enumeration Flaw Michael Holstein (Feb 21)