Full Disclosure mailing list archives
Re: Re: User Enumeration Flaw
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 21 Feb 2006 08:26:47 -0500
That's called directory harvesting and it's hardly new. Most MTAs implement tarpitting of some sort, to limit VRFY or RCPT commands from a perticular IP to a certian threshold, before they start slowing them down.
There are also ways to silently drop (or accept with routing to /dev/null) a session for a recipient that isn't in an external database (eg: LDAP) -- and while this breaks the RFC, people do it anyway.
Ever looked at a Hotmail spam message? There will be 50 recipients ..gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real and get rejected. Those that don't come back get added as "valid" for the second round.
~Mike. Dave Korn wrote:
Mar.Shatz () education gov il wrote:whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov noone@box:~$ noone@box:~$ telnet mailhub-wh2.whitehouse.gov 25 Trying 63.161.169.140... Connected to mailhub-wh2.whitehouse.gov. Escape character is '^]'. 220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500 (EST) helo jojo 250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet you mail from:bob () com com 250 2.1.0 bob () com com... Sender ok rcpt to:gbush () whitehouse gov 550 5.1.1 gbush () whitehouse gov... User unknown rcpt to:president () whitehouse gov 250 2.1.5 president () whitehouse gov... Recipient ok quit 221 2.0.0 esgeop03.whitehouse.gov closing connection Connection closed by foreign host. User enumeration at the whitehouseTell DHS at once! What would happen if Al-Qaeda could figure out that there was a president in the whitehouse?cheers, DaveK
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- User Enumeration Flaw Mar . Shatz (Feb 18)
- Re: User Enumeration Flaw Simon Smith (Feb 18)
- Re: User Enumeration Flaw Valdis . Kletnieks (Feb 18)
- Re: User Enumeration Flaw Dave Korn (Feb 20)
- Re: Re: User Enumeration Flaw Valdis . Kletnieks (Feb 20)
- Re: Re: User Enumeration Flaw Michael Holstein (Feb 21)