Hi,
I have imail V6.06 with all the latest patches installed. I was playing
around with an administrative tool that lets you check if an email is
valid(exists) on a certain domain. Of course, this tool is used by many
spammers/hackers to find valid emails and logins. To my surprise, imail was
vulnerable to this tool. It successfully verified the email accounts that I
have. I tried several account that I knew did not exist, and it verified
that.
I have all the security things enabled, including no SMTP VRFY. Why is this
behavior allowed? I even tried the utility on ipswitch's server, and found
it also vulnerable. I personally think this is quite dangerous as this can
be exploited to extract the user list available on your server. I tried it
the utility on some other major website's (yahoo, cnn, hotmail) and some
other websites I know, and the tool could not verify the email addresses, it
basically gives a false positive to every attempt, imail's behavior should
be the same
The tool I used is available at:
http://www.glocksoft.com/?source=AATools
Any comments?
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
