Security Incidents mailing list archives

Re: Strange SMTP Garbage Flood

From: Duncan Simpson <dps () io stargate co uk>
Date: Wed, 14 Nov 2001 16:49:35 +0000


Incomplete mail sessions, i.e. HELO, MAIL FROM:, RCPT TO: followed by either
cutting the connection or QUIT or RSET is also a known method of probing for
valid aliases or user names. It almost always works even if the VRFY, EXPN and
other more obvious methods have been disabled. It also tends to avoid null 
mail session detectora.

I have used this method more than once to find out if abuse@<domain> exists or
not (and almost always throw in a known invalid name to see if the method
works). The same method could be abused to probe for valid user names and that
sort of thing.

-- 
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Strange SMTP Garbage Flood Mike Tibor (Nov 13)
- Re: Strange SMTP Garbage Flood macdaddy (Nov 13)
  - Re: Strange SMTP Garbage Flood Duncan Simpson (Nov 14)
    - Re: Strange SMTP Garbage Flood Johannes Verelst (Nov 14)