Penetration Testing mailing list archives
RE: Discovering users by RCPT TO
From: "Bassett, Mark" <Mark.Bassett () owh com>
Date: Fri, 14 Jan 2005 13:17:07 -0600
A better way of doing an "authorized user list", is to accept mail for every address at your domain, but toss it into the bit bucket if it's not a valid recipient. The major difference being that you accept the message regardless, it just never gets delivered. Lots of anti-spam products provide this ability. Ciphertrust Ironmail, and Clearswift MimeSweeper are both anti-spam vendors that do this that I can think of offhand. Mark Bassett Firewall Administrator Omaha World Herald -----Original Message----- From: Vince Hoang [mailto:vince () litrium com] Sent: Thursday, January 13, 2005 5:20 PM To: pen-test () securityfocus com Subject: Re: Discovering users by RCPT TO On Thu, Jan 13, 2005 at 02:20:12PM -0500, Chris Buechler wrote:
I'd recommend disabling it unless you get flooded by such spam attacks. I would probably consider it unnecessary information disclosure, depending on the environment and reason (if any) for doing it that way.
Some MTAs allow permit you to drop the session after a certain number of failures, but that only slows down the dictionary attacks. You cannot disable RCPT TO because that is how the SMTP protocol designates the recipients. -Vince
Current thread:
- Discovering users by RCPT TO Andres Molinetti (Jan 12)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- Re: Discovering users by RCPT TO Martin Fallon (Jan 13)
- Re: Discovering users by RCPT TO Kiril Todorov (Jan 13)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO Jay D. Dyson (Jan 14)
- Re: Discovering users by RCPT TO Vince Hoang (Jan 14)
- Re: Discovering users by RCPT TO dmz (Jan 14)
- Re: Discovering users by RCPT TO Matan Peled (Jan 15)
- Re: Discovering users by RCPT TO Faisal Khan (Jan 15)
- Re: Discovering users by RCPT TO Chris Buechler (Jan 13)
- Re: Discovering users by RCPT TO GuidoZ (Jan 13)
- <Possible follow-ups>
- RE: Discovering users by RCPT TO Bassett, Mark (Jan 15)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
- Re: Discovering users by RCPT TO Tobias Glemser (Jan 20)
- Re: Discovering users by RCPT TO Baltasar Cevc (Jan 17)
- Re: Discovering users by RCPT TO Marco Ivaldi (Jan 22)