I have in the past. Since, I try and avoid mail servers with VRFY.
-----Original Message-----
From: James J. Lippard [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 10, 1999 8:15 PM
To: [EMAIL PROTECTED]
Subject: Re: qmail & relay detection
I agree with Sam on this one. My experience supports his view. I've
never seen any systematic attempts to grab usernames via SMTP. I've seen
quite a few mailbombs with bounces, though.
Jim Lippard [EMAIL PROTECTED] http://www.discord.org/
Unsolicited bulk email charge: $500/message. Don't send me any.
PGP Fingerprint: 0C1F FE18 D311 1792 5EA8 43C8 7AD2 B485 DE75 841C
On Fri, 10 Sep 1999, Sam wrote:
> On Fri, 10 Sep 1999, Dave Sill wrote:
>
> > Sam <[EMAIL PROTECTED]> wrote:
> >
> > >[EMAIL PROTECTED] writes:
> > >
> > >> Anyhow, I realize that giving information "up front" on working
> > >> usernames on the system is probably at least a small security risk,
> > >> so I'd rather not do that,
> > >
> > >I've yet to see anyone make a cogent argument for this, instead of
> > >accepting it as a given.
> >
> > It's pretty obvious. Given two systems, one that advertises users and
> > one that doesn't, and an infinite supply of kiddie krackers doing
> > brute-force searches for accounts with easy-to-guess passwords, the
>
> It's much easier to scrape the same accounts from the web or Usenet.
>
> Furthermore, you ignored the rest of my post, which compared whatever
> miniscule benefit you get from practicing security through obscurity
> weighed against your server now being a willing accomplice in a
> denial-of-service attack. The same script kiddies are far less likely to
> select a nailed down service in order to mailbomb someone by proxy,
> instead it's much easier to shove a few thousand messages with a few
> thousand bad recipients into Qmail's queue, then sit back and watch Qmail
> unload a few million messages into the target's mailbox.
>
> > system that advertises usernames will be broken into first, on
> > average, because the crackers will waste less time trying to break
> > into nonexistent accounts.
>
> I've yet to hear of a single documented case of someone using sendmail in
> this fashion in order to crack into accounts. If a cracker wants to
> collect valid addresses to try to crack into, they're far less likely to
> start banging on port 25 which is usually logged on sendmail boxes, and be
> notices, instead of simply harvest the addresses off the search engines or
> Dejanews, which is virtually undetectable.
>
>
>
