On Mon, June 13, 2016 14:25, Wietse Venema wrote:
> James B. Byrne:
>> However, the question arises as to how these local delivery
>> addresses
>> are being harvested? Some of these are used very infrequently and
>> some of them have not been active for years. It seems remarkable
>> that
>> addresses that are known to only be used for one purpose, say
>> bugzilla
>> or readhat network, are found in these attacks.
>
> The names may have been harvested from a compromised user machine.
>
>> Is there some way for remote unauthenticated users to query postfix
>> in
>> such a fashion as to effectively walk the virtual domain list for
>> local delivery addresses? If so then what is it and how can it be
>> prevented. Or should it?
>
> As far as I know, there is no SMTP command to 'list' a local database.
> That is, unless there is some kind of LDAP or SQL injection bug.
>
> Wietse
>
These delivery names are only found in /etc/postfix/virtual. There is
no LDAP service or RDBMS involved whatsoever. As far as I can tell
there would be no reason for any user machine to have them listed as
they exist solely to map incoming mail to specific imap subfolders.
It may very well be that these people attempting to break in have gone
to the internet hunting for every revealed variant address. But that
in itself seems even more worrying.
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
