Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: User Enumeration Flaw
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 21 Feb 2006 08:26:47 -0500

That's called directory harvesting and it's hardly new. Most MTAs implement tarpitting of some sort, to limit VRFY or RCPT commands from a perticular IP to a certian threshold, before they start slowing them down.

There are also ways to silently drop (or accept with routing to /dev/null) a session for a recipient that isn't in an external database (eg: LDAP) -- and while this breaks the RFC, people do it anyway.

Ever looked at a Hotmail spam message? There will be 50 recipients ..

gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real and get rejected. Those that don't come back get added as "valid" for the second round.


Dave Korn wrote:
Mar.Shatz () education gov il wrote:

whitehouse.gov          MX      100 mailhub-wh2.whitehouse.gov
noone () box:~$
noone () box:~$ telnet mailhub-wh2.whitehouse.gov 25
Connected to mailhub-wh2.whitehouse.gov.
Escape character is '^]'.
220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
(EST) helo jojo
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
you mail from:bob () com com
250 2.1.0 bob () com com    Sender ok
rcpt to:gbush () whitehouse gov
550 5.1.1 gbush () whitehouse gov    User unknown
rcpt to:president () whitehouse gov
250 2.1.5 president () whitehouse gov    Recipient ok
221 2.0.0 esgeop03.whitehouse.gov closing connection
Connection closed by foreign host.

User enumeration at the whitehouse

Tell DHS at once! What would happen if Al-Qaeda could figure out that there was a president in the whitehouse?

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]