Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Discovering users by RCPT TO

From: "Bassett, Mark" <Mark.Bassett () owh com>
Date: Fri, 14 Jan 2005 13:17:07 -0600
A better way of doing an "authorized user list", is to accept mail for
every address at your domain, but toss it into the bit bucket if it's
not a valid recipient.  The major difference being that you accept the
message regardless, it just never gets delivered.  Lots of anti-spam
products provide this ability.  Ciphertrust Ironmail, and Clearswift
MimeSweeper are both anti-spam vendors that do this that I can think of
offhand.

Mark Bassett
Firewall Administrator
Omaha World Herald


-----Original Message-----
From: Vince Hoang [mailto:vince () litrium com] 
Sent: Thursday, January 13, 2005 5:20 PM
To: pen-test () securityfocus com
Subject: Re: Discovering users by RCPT TO

On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:

I'd recommend disabling it unless you get flooded by such spam
attacks. I would probably consider it unnecessary information
disclosure, depending on the environment and reason (if any)
for doing it that way.


Some MTAs allow permit you to drop the session after a certain
number of failures, but that only slows down the dictionary
attacks.

You cannot disable RCPT TO because that is how the SMTP protocol
designates the recipients.

-Vince
Previous By Date Next
Previous By Thread Next

Current thread: