[12776] in bugtraq

home help back first fref pref prev next nref lref last post

NTmail and VRFY

daemon@ATHENA.MIT.EDU (George)
Tue Nov 30 12:34:52 1999

Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id:  <005701bf3b25$d2410b10$0a1a90d8@eniac>
Date:         Tue, 30 Nov 1999 06:25:31 -0500
Reply-To: George <georger@NLS.NET>
From: George <georger@NLS.NET>
To: BUGTRAQ@SECURITYFOCUS.COM

Aleph, for some reason this didn't seem to make it the first time so I'm
resubmitting. If you were holding up on releasing it while checking with
Gordano then just trash this copy.

Before I begin, I posted this to Gordano's mail list for NTmail this
morning (11/29/99), but despite it being posted I can't seem to even get a
reaction out
of anyone over there. They have enough traffic and posts that I would have
hoped to at least get someone to confirm this but I guess they don't
consider this important. I would appreciate it if anyone here can verify
this and if you find a solution please let me know.

For those of you running NTmail version 4 or 5

In the configuration screens there is an option on the ESMTP settings to
turn the VRFY command off. I had my mail servers set that way knowing in my
heart that VRFY is then disabled. Well today I'm running David's CIS.EXE
program and low and behold it shows me that my mail servers have VRFY turned
ON!!

What does this mean you ask? Well the spammers use scripts to harvest email
addresses, these scripts basically run a brute force "attack" on a mail
server trying a dictionary of common email addresses to see if they exist,
they harvest the ones they can confirm as active.

With the vrfy command enabled it makes this incredibly easy, here is a
sample session:

J:\>netcat mail.gordano.com 25
220 mail.net-shopper.co.uk NTMail (v5.01.0003/AB0000.00.719cfeeb) ready for
ESMTP transfer
vrfy johns
250 johns@net-shopper.co.uk <johns@net-shopper.co.uk>.
vrfy postmaster
250 postmaster@net-shopper.co.uk <postmaster@net-shopper.co.uk>.
vrfy xxxxx
557 String does not match anything.

as you can see, the mail server happily tells them not only when they hit an
active account but it gives them the domain name making it very easy to
write a single script that can be used against ALL NTmail 4 or 5 servers for
email address harvesting.

Geo.

home help back first fref pref prev next nref lref last post