In message <200108252121.f7PLLoX27134beef.tpgn.net>,
"Charles Chear" <prestotpgn.net> wrote:

>If you take a look carefully between the two sessions, both give different
>auth fail responses. Using this {POP3 approach}, you can brute force and
>verify {whether} an account exists or not...

Yea. So?

Spammers have been doing this for ages already. The only difference is
that they typically use the SMTP server to do it, rather than using the
POP3 server. Just do:

        HELO example.com
        MAIL FROM:<nobodyexample.com>
        RCPT TO:<test-user>

and then look for the SMTP result code.

Q: How many machines running a POP3 server are NOT also running an SMTP
server on the same IP, or on one close by?

A: Virtually zero.

Q: How many admins are smart enough to enable e-mail reception (possibly
aliased to /dev/null) for a catch-all `luser' pseudo-account that would
prevent such address harvesting via their SMTP servers?

A: Virtually zero.

P.S. I suspect that if all you wanted to do was to verify the existance,
or lack thereof, of some local account, you could probably do that using
any number of different servers/services... FTP, HTTP, ...

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]