I downloaded the product and gave it a try. It works ... sort of. Here's
the first log entry, that verified the existence of a mail address:
09:18 20:20 SMTPD(03D40078) [216.198.221.162] connect 64.xxx.xx.75 port 1977
09:18 20:20 SMTPD(03D40078) [64.xxx.xx.75] HELO aol.com
09:18 20:20 SMTPD(03D40078) [64.xxx.xx.75] MAIL FROM:<[EMAIL PROTECTED]>
09:18 20:20 SMTPD(03D40078) [64.xxx.xx.75] RCPT TO:<[EMAIL PROTECTED]>
There's only one problem: While the dmoain ''foohbar.com'' is a domain on
my server with a virtual imail account. There is no user named ''blah@''
You can probably see where this is going: The ''nobody'' alias is sending
the mail to wherever and the above doesn't get bounced. Here's what happens
when I try the same test after deleting ''nobody'' from the alias list.
09:18 20:22 SMTPD(03D70078) [216.198.221.162] connect 64.xxx.xx.75 port 1979
09:18 20:22 SMTPD(03D70078) [64.xxx.xx.75] HELO aol.com
09:18 20:22 SMTPD(03D70078) [64.xxx.xx.75] MAIL FROM:<[EMAIL PROTECTED]>
09:18 20:22 SMTPD(03D70078) [64.xxx.xx.75] RCPT TO:<[EMAIL PROTECTED]>
09:18 20:22 SMTPD(03D70078) [64.xxx.xx.75] ERR msb1.mysecretbase.net invalid
user <[EMAIL PROTECTED]
about what you'd expect. So if they manage to try *every* possible
character combination (or have a lot of monkeys banging away on keyboards)
they can eventually find every account. But if you have ''nobody'' set up
they've got you every single time... which is a given when you do that sort
of thing, right?
-----------------------------------------
Matt Robertson [EMAIL PROTECTED]
MSB Designs, Inc. http://mysecretbase.com
-----------------------------------------
----- Original Message -----
From: "Len Conrad" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, September 18, 2001 5:45 PM
Subject: Re: [IMail Forum] imail allowing verification of email addresses
>I have all the security things enabled, including no SMTP VRFY. Why is this
>behavior allowed?
hmmm, the tool doesn�t use the SMTP VRFY command?
>I even tried the utility on ipswitch's server, and found
>it also vulnerable. I personally think this is quite dangerous as this can
>be exploited to extract the user list available on your server.
yep
http://www.glocksoft.com/?source=AATools
>Any comments?
how about you looking at your Imail logs and telling/showing us what this
tool does with SMTP commands to uncover your account names.
Len
http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
