OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: NTmail and VRFY

Re: NTmail and VRFY

Subject: Re: NTmail and VRFY
From: Marc (MarcEEYE.COM)
Date: Tue Dec 07 1999 - 14:31:46 CST

<rant>
Maybe so... but it also costs money to go from 4 to 5.
So your basically paying $75 dollars for a security patch.
This is not how things should be done.

We've seen this sort of thing happen with NTMail in the past...
A hole if found in an older version and no patch is provide except to
upgrade to the current version which costs you money to do.

Paying extra money to a software vendor to make the product you already
bought secure is like paying the neighborhood "family men" money for
protection when you shouldn't need it in the first place.
</rant>

Signed,
Marc
eEye Digital Security Team
http://www.eEye.com

| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of John Stanners
| Sent: Tuesday, December 07, 1999 1:46 AM
| To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
| Subject: Re: NTmail and VRFY
|
|
| At 08:41 PM 11/30/99 -0500, you wrote:
| >as you can see, the mail server happily tells them not only when
| they hit an
| >active account but it gives them the domain name making it very easy to
| >write a single script that can be used against ALL NTmail 4 or 5
| servers for
| >email address harvesting. There is no way to turn VRFY off in NTmail.
| >
| I would just like to point out that George's comments only apply
| to Version
| 4 of NTMail. NTMail Version 5 which was released some time ago does allow
| VRFY to be completely disabled.
|

This archive was generated by hypermail 2b27 : Tue Dec 07 1999 - 16:29:10 CST