Results 1 to 4 of 4

Thread: User accounts via SMTP

  1. #1
    The Recidivist
    Join Date
    Nov 2002
    Posts
    460

    User accounts via SMTP

    Is it true one could get user account names somehow through SMTP? If so, how would you go about doing it?


    hjack
    "Where the tree of knowledge stands, there is always paradise": thus speak the oldest and the youngest serpents.
    - Friedrich Nietzsche

  2. #2
    Junior Member
    Join Date
    Jun 2003
    Posts
    5
    -Yes i believe so
    Sendmail and other programs like that are sometimes vulnerable for attackers to steal accounts from. As far as going about doing this it would require some extensive work to do. Of course all of this is just my personel knowledge and I don't know if it's totally accurate. My suggestion would be to do some research on the internet.

    Hope I helped
    ----------------------------------------
    The End is Near
    Can you hear it
    Smell It
    Taste It
    .........
    It is done
    ----------------------------------------

  3. #3
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    It's true that for some mail servers that are poorly configured, you can use SMTP to get lists of user names. The commands you're probably interested in are VRFY and EXPN. Take a look at RFC 821 for more information. This is becoming less of a problem now because most MTAs can easily be configured not to allow these commands to be used. Most spammers are use other ways to get email addresses like crawling web sites.

    Sendmail and other programs like that are sometimes vulnerable for attackers to steal accounts from. As far as going about doing this it would require some extensive work to do. Of course all of this is just my personel knowledge and I don't know if it's totally accurate. My suggestion would be to do some research on the internet.
    As for "extensive work" you can do this via telnet or automate it with a script so it's not exactly rocket science. It's just a matter of finding a mail server that allows these commands.
    OpenBSD - The proactively secure operating system.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    The script I put out to identify mail relays also checks this. If you look into the script you will see how VRFY and EXPN work. The URL is as follows:

    http://www.antionline.com/showthread...hreadid=235929

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •