mailing list archives
Re: Re: User Enumeration Flaw
From: Michael Holstein <michael.holstein () csuohio edu>
Date: Tue, 21 Feb 2006 08:26:47 -0500
That's called directory harvesting and it's hardly new. Most MTAs
implement tarpitting of some sort, to limit VRFY or RCPT commands from a
perticular IP to a certian threshold, before they start slowing them down.
There are also ways to silently drop (or accept with routing to
/dev/null) a session for a recipient that isn't in an external database
(eg: LDAP) -- and while this breaks the RFC, people do it anyway.
Ever looked at a Hotmail spam message? There will be 50 recipients ..
gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real
and get rejected. Those that don't come back get added as "valid" for
the second round.
Dave Korn wrote:
Mar.Shatz () education gov il wrote:
whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov
noone () box:~$
noone () box:~$ telnet mailhub-wh2.whitehouse.gov 25
Connected to mailhub-wh2.whitehouse.gov.
Escape character is '^]'.
220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
(EST) helo jojo
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
you mail from:bob () com com
250 2.1.0 bob () com com Sender ok
rcpt to:gbush () whitehouse gov
550 5.1.1 gbush () whitehouse gov User unknown
rcpt to:president () whitehouse gov
250 2.1.5 president () whitehouse gov Recipient ok
221 2.0.0 esgeop03.whitehouse.gov closing connection
Connection closed by foreign host.
User enumeration at the whitehouse
Tell DHS at once! What would happen if Al-Qaeda could figure out that
there was a president in the whitehouse?
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/