[9876] in bugtraq
Re: SMTP server account probing
daemon@ATHENA.MIT.EDU (Ryan Permeh)
Wed Mar 10 14:50:15 1999
Date: Tue, 9 Mar 1999 15:20:44 -0600
Reply-To: Ryan Permeh <rrpermeh@RCONNECT.COM>
From: Ryan Permeh <rrpermeh@RCONNECT.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199903091732.JAA15133@mailhost.lainet.com>
This is a good idea, but the problem with this program is that it acts =
like
it were sending mail to a user, not using the VRFY command, but the RCP=
T
to: command, as any normal mail user agent would.
I have been playing around with an idea that would send false rcpt to
errors after a certain number of failures. This would, at the very lea=
st,
not give the program any more information than the first couple rcpt to=
:,
until a certain number of bad rcpt to:'s happen.
there are other ways of doing this, that are not apporpriate for this u=
se,
that limit the total number of RCPT to:'s accepted. this can be done (=
at
least in 8.9.3) using the :
O MaxRecipientsPerMessage
directive in the sendmail.cf file.
Ryan Permeh
At 09:36 AM 3/9/99 -0800, you wrote:
>>In this attack, an SMTP server is probed for common names, presumably
>>so that spam can the be targeted at them. The attacking machine
>>connects and issues hundreds of RCPT TO: commands, searching a long
>>list of common user names (e.g. susan) for ones that don't cause
>>errors. It then compiles a list of target addresses to spam.
>
>This is a good reason for sendmail users to add the following to their=
.cf
>files:
>
>
>O PrivacyOptions=3Dgoaway
>
>
>This will prevent VRFY and EXPN commands from functioning at all and
>releasing correct addresses.
>
>>Unfortunately, the attack -- besides allowing the perpetrator to spam
>>users -- also brings SMTP servers to their knees. This happens most
>>often if the server maintains lists of user names in a database where
>>looking up a name requires substantial disk activity or computational
>>overhead.
>
>While the 'goaway' option may not prevent the program from continuing =
to
>verify addresses, it will keep your users address from being picked up=
by
>the program.
>
>Perhaps someone with better sendmail experience could come up with an =
idea
>to automatically disconnect connections that are issuing more than 25 =
VRFY
>statements at a time?
>
>Cheers,
>John E. Martin
>
Ryan R Permeh=A0=A0=A0=A0=A0 E-MAIL: rrpermeh@rconnect.com=A0=A0=A0rrp=
ermeh@resinc.net=A0=A0=A0=A0
IS Engineer=A0=A0=A0=A0=A0=A0 WEB=A0=A0 : http://www.rconnect.com ht=
tp://www.response.net
Rural Connections=A0/=A0=A0 HELP=A0 : help@rconnect.com=A0=A0=A0=A0=A0=A0
Response Inc.=A0=A0=A0=A0=A0=A0=A0 FAQ=A0=A0 : http://www.rconnect.com=
/help =A0=A0
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 SALES=
: sales@rconnect.com sales@resinc.net
------------------------------------------------------------
120 First Street NE=A0=A0 PHONE : (507) 281-5005 =A0=A0=A0=A0=A0=A0=A0=A0=
=A0
Rochester, MN=A055906=A0=A0 FAX=A0=A0 : (507) 281-9272=A0=A0=A0=A0 =A0
