Bugtraq mailing list archives

Re: Is there user Anna at your host ?

From: "Tobias J. Kreidl" <Tobias.Kreidl () NAU EDU>
Date: Wed, 12 Sep 2001 11:20:05 -0700 (MST)

Josha Bronson wrote on Wed, 12 Sep 2001 10:12:56 -0700:

Wrong? No. Trivial? Up in the air. Enumeration of user names is
definitely an important step in attacking a system, but just a username
is not going to get you very much. Also, there are a number of other
methods that could be used, like searching for '@domain.tld', VRFY in
sendmail (as you mentioned) or good old fashion finger (yes a lot of
people still run fingerd).


Of course, you can always send loads of email messages to a machine
and track which messages didn't bounce (hence find out which ones work).
It's not very efficient, but sending bulk email is easy and routines like 
sendmail can handle thousands of small messages very efficiently.

Another alternative security measure for machines with user logins is to 
put the public_html areas on a disks that are exported to the web server
and hence at least hide to some degree the actual machine on which the
login account resides.

Tobias Kreidl
NAU/ITS, academic computing

Current thread:

Is there user Anna at your host ? Alexander A. Kelner (Sep 12)
- Re: Is there user Anna at your host ? Josha Bronson (Sep 12)
- Re: Is there user Anna at your host ? ET LoWNOISE (Sep 12)
- Re: Is there user Anna at your host ? Mariusz Woloszyn (Sep 13)
- <Possible follow-ups>
- RE: Is there user Anna at your host ? Andrew Hatfield (Sep 12)
- Re: Is there user Anna at your host ? Tobias J. Kreidl (Sep 12)
  - Re: Is there user Anna at your host ? Ram'on Reyes Carri'on (Sep 13)
- Re: Is there user Anna at your host ? Bill Munger (Sep 13)
  - Re: Is there user Anna at your host ? Heikki Korpela (Sep 13)
- Re: Is there user Anna at your host ? Tobias J. Kreidl (Sep 13)