>I have imail V6.06 with all the latest patches installed. I was playing
>around with an administrative tool that lets you check if an email is
>valid(exists) on a certain domain. Of course, this tool is used by many
>spammers/hackers to find valid emails and logins. To my surprise, imail was
>vulnerable to this tool.
All mail servers are, unless they accept all mail (including mail to
non-existant accounts, which is frowned upon). If you want to see if
"[EMAIL PROTECTED]" is a valid E-mail address, just try sending mail to
it. If it goes through, the account exists; if you get a bounce message,
it doesn't. The hacker tools are simply an automated way of doing that
more easily.
>I have all the security things enabled, including no SMTP VRFY. Why is this
>behavior allowed? I even tried the utility on ipswitch's server, and found
>it also vulnerable.
And MSN's mail server, etc.
>I personally think this is quite dangerous as this can
>be exploited to extract the user list available on your server.
That's a problem with SMTP, that is pretty much unavoidable.
>I tried it the utility on some other major website's (yahoo, cnn, hotmail)
>and some
>other websites I know, and the tool could not verify the email addresses, it
>basically gives a false positive to every attempt, imail's behavior should
>be the same
I just checked manually at Hotmail, telneting to one of their mail servers,
and entering "HELO test", "MAIL FROM: <>", "RCPT TO:
<[EMAIL PROTECTED]>" (actually, a random address, as
[EMAIL PROTECTED] probably exists), and it let me know the account
did not exist. It sounds like the hacker tool was poorly designed, as many
are.
-Scott
---
Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
IMail. http://www.declude.com
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
