Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pentesting Openmail Web login
From: "Bojan Zdrnja" <bojan.zdrnja () gmail com>
Date: Sat, 26 May 2007 12:02:13 +1200

On 5/25/07, Marco Ivaldi <raptor () mediaservice net> wrote:
On Thu, 24 May 2007, Clemens, Dan wrote:

> The use of SMTP command may help you - expn or vrfy will help you in
> enumerating accounts.

Sometimes, such as in this example, system users are leaked; sometimes
only email addresses can be recovered. In some situations, the latter may
be considered "a feature, not a bug" (tm), as for instance it helps to
keep a lower resource usage on servers heavily targeted by spam. YMMV.

It's all about balancing things, as always in security.

Regarding recovering e-mail addresses - it is a feature and it is
*definitely* NOT a bug. In fact, I would strongly recommend anyone not
doing this to start doing it.

The main problem here is that if you don't reject this e-mail in the
SMTP session then, according to the RFC, you MUST send a bounce back
(since you accepted that e-mail).

Now, regarding e-mail address harvesting, the attacker can harvest
them anyway if they setup a valid mailbox that was used as the
envelope sender (they'll receive the bounce anyway) but your server
had to send the bounce back which, in case of spam floods, can result
in backscatter. Exchange servers are notorious for this (they accept
everything and anything and then send bounces back).

Sure, you can configure your server not to send anything back but then
you are breaking the RFC(s) and you risk legitimate users not
receiving notifications when they mistyped a valid address.
You could possibly implement some thresholds and limit bounces, but
personally I don't see any benefit from this (especially since today
spammers brute force addresses anyway and just send millions of spam
without caring if it gets delivered or not).

Cheers,

Bojan

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault