Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan
Andreas Metzler
ametzler at bebt.de
Sun Nov 5 15:09:37 UTC 2017
On 2017-11-05 Paul Graham <debianbts at omega-software.com> wrote:
> Package: exim4-config
> Version: 4.90~RC1-1
> Severity: normal
> Dear Maintainer,
> *** Reporter, please consider answering these questions, where appropriate ***
> * What led up to the situation?
> This recently came up in Exim logs:
> 2017-11-03 16:22:39 H=(ws2008) [10.20.30.40] F=<test1 at omega-software.com> rejected RCPT <attacker at gmail.com>: Sender verify failed
[...]
> It reveals that an attacker took advantage that sender verification happens before relay checks to perform a brute force scan that revealed valid addresses in our domain.
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
> We moved sender verification so that it happens after relay check.
> * What was the outcome of this action?
> After this change, it's no longer possible for an attacker to use this technique to extract information. All their attempts would result in "relay not permitted" regardless of sender address.
[...]
I do not see the attacker gain, the same information can be extracted by
trying out RCPT TO *@omega-software.com with FROM attacker at gmail.com.
What am I missing?
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-maintainers
mailing list