SMTP server account probing

From: Brett Glass (brettat_private)
Date: Mon Mar 08 1999 - 11:13:22 PST

Next message: Jeremie: "Re: More Internet Explorer zone confusion (new issue)"

Previous message: SGI Security Coordinator: "X server font path buffer overflow vulnerability"
Next in thread: Frank Miller: "Re: SMTP server account probing"
Reply: Frank Miller: "Re: SMTP server account probing"
Reply: John E. Martin: "Re: SMTP server account probing"
Reply: GvS: "Re: SMTP server account probing"
Reply: Brett Glass: "Re: SMTP server account probing"
Reply: David Gale: "Re: SMTP server account probing"
Reply: Valdis.Kletnieksat_private: "Re: SMTP server account probing"
Reply: GvS: "Re: SMTP server account probing"
Reply: Scott Fendley: "Re: SMTP server account probing"
Reply: Nick Andrew: "Re: SMTP server account probing"
Reply: Stefan Monnier: "Re: SMTP server account probing"
Reply: Jose C. Oon: "Re: SMTP server account probing"
Reply: Alan Cox: "Re: SMTP server account probing"
Reply: Brian Behlendorf: "Re: SMTP server account probing"
Reply: Keith Woodworth: "Re: SMTP server account probing"
Reply: Ryan Permeh: "Re: SMTP server account probing"
Reply: James Lick: "Re: SMTP server account probing"
Reply: Tobias J. Kreidl: "Re: SMTP server account probing"
Reply: Alexander Bochmann: "Re: SMTP server account probing"
Reply: typoat_private: "Re: SMTP server account probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Several ISPs throughout the Net are reporting an attack described at

http://www.l8r.com/nwa/nwa1.htm

In this attack, an SMTP server is probed for common names, presumably
so that spam can the be targeted at them. The attacking machine
connects and issues hundreds of RCPT TO: commands, searching a long
list of common user names (e.g. susan) for ones that don't cause
errors. It then compiles a list of target addresses to spam.

Unfortunately, the attack -- besides allowing the perpetrator to spam
users -- also brings SMTP servers to their knees. This happens most
often if the server maintains lists of user names in a database where
looking up a name requires substantial disk activity or computational
overhead.

Some people whose domain names have been hard-coded into a commercial
program designed to implement this attack have responded with outrage,
e.g.

http://www.junk.org/earthonline/

I'm surprised that I haven't seen this one on the Bugtraq list yet.

--Brett Glass

Next message: Jeremie: "Re: More Internet Explorer zone confusion (new issue)"
Previous message: SGI Security Coordinator: "X server font path buffer overflow vulnerability"
Next in thread: Frank Miller: "Re: SMTP server account probing"
Reply: Frank Miller: "Re: SMTP server account probing"
Reply: John E. Martin: "Re: SMTP server account probing"
Reply: GvS: "Re: SMTP server account probing"
Reply: Brett Glass: "Re: SMTP server account probing"
Reply: David Gale: "Re: SMTP server account probing"
Reply: Valdis.Kletnieksat_private: "Re: SMTP server account probing"
Reply: GvS: "Re: SMTP server account probing"
Reply: Scott Fendley: "Re: SMTP server account probing"
Reply: Nick Andrew: "Re: SMTP server account probing"
Reply: Stefan Monnier: "Re: SMTP server account probing"
Reply: Jose C. Oon: "Re: SMTP server account probing"
Reply: Alan Cox: "Re: SMTP server account probing"
Reply: Brian Behlendorf: "Re: SMTP server account probing"
Reply: Keith Woodworth: "Re: SMTP server account probing"
Reply: Ryan Permeh: "Re: SMTP server account probing"
Reply: James Lick: "Re: SMTP server account probing"
Reply: Tobias J. Kreidl: "Re: SMTP server account probing"
Reply: Alexander Bochmann: "Re: SMTP server account probing"
Reply: typoat_private: "Re: SMTP server account probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:19 PDT