Re: Re: User Enumeration Flaw

[Michael Holstein <michael.holstein () csuohio edu>]

That's called directory harvesting and it's hardly new. Most MTAs 
implement tarpitting of some sort, to limit VRFY or RCPT commands from a 
perticular IP to a certian threshold, before they start slowing them down.

There are also ways to silently drop (or accept with routing to 
/dev/null) a session for a recipient that isn't in an external database 
(eg: LDAP) -- and while this breaks the RFC, people do it anyway.

Ever looked at a Hotmail spam message? There will be 50 recipients ..

gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real 
and get rejected. Those that don't come back get added as "valid" for 
the second round.

~Mike.

Dave Korn wrote:
> Mar.Shatz () education gov il wrote:
>
> > whitehouse.gov          MX      100 mailhub-wh2.whitehouse.gov
> > noone@box:~$
> > noone@box:~$ telnet mailhub-wh2.whitehouse.gov 25
> > Trying 63.161.169.140...
> > Connected to mailhub-wh2.whitehouse.gov.
> > Escape character is '^]'.
> > 220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
> > (EST) helo jojo
> > 250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
> > you mail from:bob () com com
> > 250 2.1.0 bob () com com... Sender ok
> > rcpt to:gbush () whitehouse gov
> > 550 5.1.1 gbush () whitehouse gov... User unknown
> > rcpt to:president () whitehouse gov
> > 250 2.1.5 president () whitehouse gov... Recipient ok
> > quit
> > 221 2.0.0 esgeop03.whitehouse.gov closing connection
> > Connection closed by foreign host.
> >
> > User enumeration at the whitehouse
>
>
>
>   Tell DHS at once!  What would happen if Al-Qaeda could figure out that 
> there was a president in the whitehouse?
>
>
>     cheers,
>       DaveK
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/