Re: SMTP server account probing

From: Ryan Permeh (rrpermehat_private)
Date: Tue Mar 09 1999 - 13:20:44 PST

Next message: John D. Hardin: "Re: Linux Blind TCP Spoofing"

Previous message: Keith Woodworth: "Re: SMTP server account probing"
Maybe in reply to: Brett Glass: "SMTP server account probing"
Next in thread: James Lick: "Re: SMTP server account probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This is a good idea, but the problem with this program is that it acts like
it were sending mail to a user, not using the VRFY command, but the RCPT
to: command, as any normal mail user agent would.

I have been playing around with an idea that would send false rcpt to
errors after a certain number of failures.  This would, at the very least,
not give the program any more information than the first couple rcpt to:,
until a certain number of bad rcpt to:'s happen.

there are other ways of doing this, that are not apporpriate for this use,
that limit the total number of RCPT to:'s accepted.  this can be done (at
least in 8.9.3) using the :
O MaxRecipientsPerMessage
directive in the sendmail.cf file.

Ryan Permeh


At 09:36 AM 3/9/99 -0800, you wrote:
>>In this attack, an SMTP server is probed for common names, presumably
>>so that spam can the be targeted at them. The attacking machine
>>connects and issues hundreds of RCPT TO: commands, searching a long
>>list of common user names (e.g. susan) for ones that don't cause
>>errors. It then compiles a list of target addresses to spam.
>
>This is a good reason for sendmail users to add the following to their .cf
>files:
>
>
>O PrivacyOptions=goaway
>
>
>This will prevent VRFY and EXPN commands from functioning at all and
>releasing correct addresses.
>
>>Unfortunately, the attack -- besides allowing the perpetrator to spam
>>users -- also brings SMTP servers to their knees. This happens most
>>often if the server maintains lists of user names in a database where
>>looking up a name requires substantial disk activity or computational
>>overhead.
>
>While the 'goaway' option may not prevent the program from continuing to
>verify addresses, it will keep your users address from being picked up by
>the program.
>
>Perhaps someone with better sendmail experience could come up with an idea
>to automatically disconnect connections that are issuing more than 25 VRFY
>statements at a time?
>
>Cheers,
>John E. Martin
>
Ryan R Permeh      	E-MAIL: rrpermehat_private   rrpermehat_private    
IS Engineer       		WEB   : http://www.rconnect.com 	http://www.response.net
Rural Connections /   HELP  : helpat_private      
Response Inc.        	FAQ   : http://www.rconnect.com/help   
                      		SALES : salesat_private 		salesat_private
------------------------------------------------------------
120 First Street NE   PHONE : (507) 281-5005          
Rochester, MN 55906   FAX   : (507) 281-9272

Next message: John D. Hardin: "Re: Linux Blind TCP Spoofing"
Previous message: Keith Woodworth: "Re: SMTP server account probing"
Maybe in reply to: Brett Glass: "SMTP server account probing"
Next in thread: James Lick: "Re: SMTP server account probing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:38:35 PDT