Re: Pentesting Openmail Web login

To:	"Marco Ivaldi" <raptor@mediaservice.net>
Subject:	Re: Pentesting Openmail Web login
From:	"Bojan Zdrnja" <bojan.zdrnja@gmail.com>
Date:	Sat, 26 May 2007 12:02:13 +1200
Cc:	pen-test@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=a8zXOsnOWS7WpYptvU4UxtmimGAkiWmqEOXJoWJDANYoCQBEtgJcJs5K3Cmzjutq1KVLkOv7+6Rc92TB/zj5gjePiymgqjB0bNKYniPTs7zxsYjAw5tTIejCoByWfG1EaLCpdrUaL7zihYmXaBxWPQnQTY/fmCz6qEzw49PvNQ4=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=M3+HZCDUJD9xg7xNYlbD60gBWOGHsyEYDOskr39aOC5axOsdD1GiCrat4Yykx0JrVVqP0NJBwCCfWIG9cBXYCvkMXbdrWNUtQ5BUcqmw6dUL353rekvBoqi/IgtVv8b2aUAoCSKoxTbLEwGTvshpbwXZtrr6Rsr4pABTBOP4XoI=
In-reply-to:	<Pine.WNT.4.64.0705251226480.2884@PHEAR>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<679373278-1179969881-cardhu_blackberry.rim.net-1262565111-@bxe047-cell01.bisx.prod.on.blackberry> <7C16698DBDC0FE49B00A3582BE6E86D07DDCFA@HS01MS55.healthsouth.insidehrc.com> <Pine.WNT.4.64.0705251226480.2884@PHEAR>
Resent-date:	Fri, 25 May 2007 17:28:25 -0600 (MDT)
Resent-from:	pen-test-return-1078484261@securityfocus.com
Resent-message-id:	<20070525232825.E99A41447C0@outgoing2.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

On 5/25/07, Marco Ivaldi <raptor@mediaservice.net> wrote:

On Thu, 24 May 2007, Clemens, Dan wrote:

> The use of SMTP command may help you - expn or vrfy will help you in
> enumerating accounts.

Sometimes, such as in this example, system users are leaked; sometimes
only email addresses can be recovered. In some situations, the latter may
be considered "a feature, not a bug" (tm), as for instance it helps to
keep a lower resource usage on servers heavily targeted by spam. YMMV.


It's all about balancing things, as always in security.

Regarding recovering e-mail addresses - it is a feature and it is
*definitely* NOT a bug. In fact, I would strongly recommend anyone not
doing this to start doing it.

The main problem here is that if you don't reject this e-mail in the
SMTP session then, according to the RFC, you MUST send a bounce back
(since you accepted that e-mail).

Now, regarding e-mail address harvesting, the attacker can harvest
them anyway if they setup a valid mailbox that was used as the
envelope sender (they'll receive the bounce anyway) but your server
had to send the bounce back which, in case of spam floods, can result
in backscatter. Exchange servers are notorious for this (they accept
everything and anything and then send bounces back).

Sure, you can configure your server not to send anything back but then
you are breaking the RFC(s) and you risk legitimate users not
receiving notifications when they mistyped a valid address.
You could possibly implement some thresholds and limit bounces, but
personally I don't see any benefit from this (especially since today
spammers brute force addresses anyway and just send millions of spam
without caring if it gets delivered or not).

Cheers,

Bojan

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Pentesting Openmail Web login, s-williams Re: Pentesting Openmail Web login, Rodrigo Montoro (Sp0oKeR) Re: Pentesting Openmail Web login, s-williams Re: Pentesting Openmail Web login, Brent Wolfram Re: Pentesting Openmail Web login, Tremaine Lea Re: Pentesting Openmail Web login, sherwyn . williams RE: Pentesting Openmail Web login, Clemens, Dan RE: Pentesting Openmail Web login, Marco Ivaldi Re: Pentesting Openmail Web login, Bojan Zdrnja <= Re: Pentesting Openmail Web login, pagvac Re: Pentesting Openmail Web login, rajat swarup

Previous by Date:	RE: Private IP address with yahoo messenger, Pranay Kanwar
Next by Date:	Re: Most Successful Exploits/Tools to use against windows & Linux?, Morgan Reed
Previous by Thread:	RE: Pentesting Openmail Web login, Marco Ivaldi
Next by Thread:	Re: Pentesting Openmail Web login, pagvac
Indexes:	[Date] [Thread] [Top] [All Lists]