Re: Discovering users by RCPT TO

[Kiril Todorov <voland () shadowblade net>]

Andres Molinetti wrote:
> I'm currently over a pen-test and I have found that their SMTP Server 
> (SendMail) does not have VRFY or EXPN methods available, which was the 
> most probably thing to happen taking into account the server has been 
> through some hardening before.
>
> Testing for Open Relay, I realized that the server answers different to 
> existing users and non-existing users, when trying to deliver mails 
> using RCPT TO:
>
> E.g:
>
> rcpt to: asdfasdf@domain
> 550 5.1.1 asdfasdf@domain... User unknown
> rcpt to: bin@domain
> 250 2.1.5 bin@domain... Recipient ok
> rcpt to: nobody@domain
> 250 2.1.5 nobody@domain... Recipient ok
> rcpt to: oper@domain
> 550 5.1.1 oper@domain... User unknown
> rcpt to: root@domain
> 250 2.1.5 root@domain... Recipient ok
>
> Is this ok or is it information disclousure? Is there any way to fix it? 
> It is Sendmail...
>
> Thanks in advance,
>
> Andres Molinetti
> CISSP

That's a common practice.
The main reason is the tons of windows zombie machines, used for 
spamming at random names @ domain name.
All mails are send from fake addresses, so after 2-3 waves of such 
spamming the mail server's queue gets approximately 30-40K mails.
The server is busy sending out bounces to nonexistant addresses.. well 
you get the picture.