Penetration Testing mailing list archives
Re: Pentesting Openmail Web login
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Sat, 26 May 2007 12:02:13 +1200
On 5/25/07, Marco Ivaldi <raptor () mediaservice net> wrote:
On Thu, 24 May 2007, Clemens, Dan wrote: > The use of SMTP command may help you - expn or vrfy will help you in > enumerating accounts. Sometimes, such as in this example, system users are leaked; sometimes only email addresses can be recovered. In some situations, the latter may be considered "a feature, not a bug" (tm), as for instance it helps to keep a lower resource usage on servers heavily targeted by spam. YMMV.
It's all about balancing things, as always in security. Regarding recovering e-mail addresses - it is a feature and it is *definitely* NOT a bug. In fact, I would strongly recommend anyone not doing this to start doing it. The main problem here is that if you don't reject this e-mail in the SMTP session then, according to the RFC, you MUST send a bounce back (since you accepted that e-mail). Now, regarding e-mail address harvesting, the attacker can harvest them anyway if they setup a valid mailbox that was used as the envelope sender (they'll receive the bounce anyway) but your server had to send the bounce back which, in case of spam floods, can result in backscatter. Exchange servers are notorious for this (they accept everything and anything and then send bounces back). Sure, you can configure your server not to send anything back but then you are breaking the RFC(s) and you risk legitimate users not receiving notifications when they mistyped a valid address. You could possibly implement some thresholds and limit bounces, but personally I don't see any benefit from this (especially since today spammers brute force addresses anyway and just send millions of spam without caring if it gets delivered or not). Cheers, Bojan ------------------------------------------------------------------------ This List Sponsored by: Cenzic Are you using SPI, Watchfire or WhiteHat? Consider getting clear vision with Cenzic See HOW Now with our 20/20 program! http://www.cenzic.com/c/2020 ------------------------------------------------------------------------
Current thread:
- Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Rodrigo Montoro (Sp0oKeR) (May 25)
- <Possible follow-ups>
- Re: Pentesting Openmail Web login s-williams (May 23)
- Re: Pentesting Openmail Web login Brent Wolfram (May 23)
- Re: Pentesting Openmail Web login Tremaine Lea (May 23)
- Re: Pentesting Openmail Web login sherwyn . williams (May 24)
- RE: Pentesting Openmail Web login Clemens, Dan (May 24)
- RE: Pentesting Openmail Web login Marco Ivaldi (May 25)
- Re: Pentesting Openmail Web login Bojan Zdrnja (May 25)
- Re: Pentesting Openmail Web login pagvac (May 29)
- Re: Pentesting Openmail Web login rajat swarup (May 30)