[9867] in bugtraq
Re: SMTP server account probing
daemon@ATHENA.MIT.EDU (Nick Andrew)
Wed Mar 10 11:45:15 1999
Date: Wed, 10 Mar 1999 10:08:06 +1100
Reply-To: nick@ZETA.ORG.AU
From: Nick Andrew <nick@ZETA.ORG.AU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <4.1.19990309134938.0404a210@localhost> from "Brett Glass" at Mar
9, 99 01:51:28 pm
Forwarding a message from Brett Glass:
> Unfortunately, the program was designed to defeat the "goaway" option by
> using RCPT TO: commands instead of VRFY commands. What's needed is
> the ability to kill the connection after more than two or three recipient
> names have generated errors.
Just modify your SMTP daemon to return the appropriate error code for
all RCPT TO requests after #25. They can continue to probe forever but all
probes will return false. It might be a good idea to also put a short
delay into the responses to probes (like 1 second).
If the other end actually tries to send a message after doing all this
probing, route the message to /dev/null (or drop it in a directory for
later examination).
Larger sites may wish to alter the threshold at which defence actions are
initiated.
Nick.
--
Zeta Internet SP4 Fax: +61-2-9233-6545 Voice: 9231-9400
G.P.O. Box 3400, Sydney NSW 1043 http://www.zeta.org.au/
