mailing list archives
Re: ESMTP service
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 27 Dec 2007 12:55:01 +0100
On 2007-12-25 Sun Z wrote:
One security issue would be that the SMTP service has commands to
ennumerate users of the machine
Wrong. SMTP provides commands to verify (not enumerate) a given address,
or to expand a given mailing list address to its members. In any case
you are dealing with mailboxes, not users. Mailboxes don't necessarily
represent user accounts on that machine.
The VRFY command can be turned off on most SMTP servers, too.
which can be used in brute force attempts, FTP and SSH for example.
FTP should've died a long time ago, and there are better ways to secure
SSH from brute force attacks than hiding login names. Public key
authentication comes to mind.
Besides, users' login names can usually be guessed most easily anyway,
so they shouldn't be considered a secret in the first place.
"All vulnerabilities deserve a public fear period prior to patches
--Jason Coombs on Bugtraq