That's called directory harvesting and it's hardly new. Most MTAs
implement tarpitting of some sort, to limit VRFY or RCPT commands from a
perticular IP to a certian threshold, before they start slowing them down.
There are also ways to silently drop (or accept with routing to
/dev/null) a session for a recipient that isn't in an external database
(eg: LDAP) -- and while this breaks the RFC, people do it anyway.
Ever looked at a Hotmail spam message? There will be 50 recipients ..
gbush@, hbush@, jbush@, kbush@, etc. the ones that bounce aren't real
and get rejected. Those that don't come back get added as "valid" for
the second round.
~Mike.
Dave Korn wrote:
[EMAIL PROTECTED] wrote:
whitehouse.gov MX 100 mailhub-wh2.whitehouse.gov
[EMAIL PROTECTED]:~$
[EMAIL PROTECTED]:~$ telnet mailhub-wh2.whitehouse.gov 25
Trying 63.161.169.140...
Connected to mailhub-wh2.whitehouse.gov.
Escape character is '^]'.
220 whitehouse.gov ESMTP service at Sun, 12 Feb 2006 11:29:38 -0500
(EST) helo jojo
250 esgeop03.whitehouse.gov Hello [xxx.xxx.xxx.xxx], pleased to meet
you mail from:[EMAIL PROTECTED]
250 2.1.0 [EMAIL PROTECTED] Sender ok
rcpt to:[EMAIL PROTECTED]
550 5.1.1 [EMAIL PROTECTED] User unknown
rcpt to:[EMAIL PROTECTED]
250 2.1.5 [EMAIL PROTECTED] Recipient ok
quit
221 2.0.0 esgeop03.whitehouse.gov closing connection
Connection closed by foreign host.
User enumeration at the whitehouse
Tell DHS at once! What would happen if Al-Qaeda could figure out that
there was a president in the whitehouse?
cheers,
DaveK
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
