| VID |
18040 |
| Severity |
20 |
| Port |
25 |
| Protocol |
TCP |
| Class |
SMTP |
| Detailed Description |
The SMTP daemon allows the RCPT TO command to check if an e-mail address is valid.
A side affect of many implementations of the RCPT command within SMTP servers is the ability to use this command to verify those addresses that are valid. Disabling the VRFY and EXPN commands is often thought to be sufficient in preventing information gathering attacks. However, Using a dictionary this method can find a list of users on the attacked SMTP server. This list is later used by spammers to SPAM the e-mail accounts.
You can test if your SMTP server is vulnerable or not, through the following steps:
MAIL FROM: <iamaboy@my.com>
Then, a RCPT TO command is issued:
RCPT TO: <testuser>
If testuser exists on a target SMTP server, the following response will be issued:
250 <testuser>... Sender ok
If the user does not exist, the following response will be issued:
550 <testuser>... User unknown
* References:
http://www.iss.net/security_center/static/1928.php
http://www.securiteam.com/securitynews/2QUPQRPQKA.html |
| Recommendation |
No effective solutions have been developed to prevent this method from being exploited. Mail administrators should pay close attention to the log files of the affected SMTP server. |
| Related URL |
CVE-1999-0531 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
