Home page logo

basics logo Security Basics mailing list archives

Re: ESMTP service
From: Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>
Date: Thu, 27 Dec 2007 12:55:01 +0100

On 2007-12-25 Sun Z wrote:
One security issue would be that the SMTP service has commands to
ennumerate users of the machine

Wrong. SMTP provides commands to verify (not enumerate) a given address,
or to expand a given mailing list address to its members. In any case
you are dealing with mailboxes, not users. Mailboxes don't necessarily
represent user accounts on that machine.

The VRFY command can be turned off on most SMTP servers, too.

which can be used in brute force attempts, FTP and SSH for example.

FTP should've died a long time ago, and there are better ways to secure
SSH from brute force attacks than hiding login names. Public key
authentication comes to mind.

Besides, users' login names can usually be guessed most easily anyway,
so they shouldn't be considered a secret in the first place.

Ansgar Wiechers
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]