Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SPAMMERS LOOKING AT MY ALIAS FILE

0 views
Skip to first unread message

Terry Shows

unread,
Jan 11, 2000, 3:00:00 AM1/11/00
to
I am using MMDF as my mail transfer agent. I just got a SPAM addressed to
an unusual alias I have set up in my alias.n file in the table directory of
mmdf. As far as I can tell, the SPAMMER either read my alias file
(somehow), or issued a bunch of verify requests to the SMTPD daemon until
they had some hits, then recorded the hits and sent the email out.

does anybody know how to protect from this? My alias.n file has a lot of
addresses that I do NOT want spammed.


--
Thank You

Terry Shows

(terry...@csstn.com)

Jeff Liebermann

unread,
Jan 11, 2000, 3:00:00 AM1/11/00
to

telnet comix.santa-cruz.ca.us 25
220 comix.comix.santa-cruz.ca.us Server SMTP (Complaints/bugs to:
postmaster)
expn root
250 Superuser <ro...@comix.comix.santa-cruz.ca.us>
expn postmaster
250 <postm...@comix.comix.santa-cruz.ca.us>
expn bozos
250 <bo...@comix.comix.santa-cruz.ca.us>
expn jeffl
250 Jeff Liebermann <je...@comix.comix.santa-cruz.ca.us>
quit

Hmmm... This was to my 3.2v4.2 SMTP which doesn't seem to expand
aliases. I think (not sure) that 3.2v5.0.5 will expand aliases. If
they manage to figure out that you're running a mailing list, and use
the EXPN command with that mailing list, it may (not sure) belch all
the users inside. I'll try it when I put the RAM back into my
3.2v5.0.5 machine.


Kevin Smith

unread,
Jan 12, 2000, 3:00:00 AM1/12/00
to

Chances are they were just guessing unless you have 'public' on the
ALIAS line in mmdftailor for alias-n. The 'public' keyword allows
someone connecting (as in Jeff's example) to see what the alias will
expand to. I.e.

ALIAS table=alias-n, nobypass, public

I think this is a checkbox in the gui configurator. Without 'public'
expn just echos the same address back to you (with your hostname if
you left it off) as in Jeff's example.

See 'man mmdftailor'
--
Do two rights make | Kevin Smith, ShadeTree Software, Philadelphia, PA, USA
a libertarian | 001-215-487-3811 shady.com,kevin bbs.cpcn.com,sysop
| dvtug.org,kevins--Deleware Valley Transit Users Group

Jeff Liebermann

unread,
Jan 12, 2000, 3:00:00 AM1/12/00
to
On 12 Jan 2000 23:15:03 -0500, kbs=cu...@shady.com (Kevin Smith) wrote:

>Chances are they were just guessing unless you have 'public' on the
>ALIAS line in mmdftailor for alias-n. The 'public' keyword allows
>someone connecting (as in Jeff's example) to see what the alias will
>expand to. I.e.
> ALIAS table=alias-n, nobypass, public

Oh, so that's how that works. I never could figure out what that
"public" actually did. I hope it's not the default. I changed my
mmdftailor file to include public aliases and ran the following. I
deleted some of my accomplises names to avoid spammers.

telnet comix.santa-cruz.ca.us 25
220 comix.comix.santa-cruz.ca.us Server SMTP (Complaints/bugs to:
postmaster)

expn bozos
250-Jeff Liebermann <je...@comix.comix.santa-cruz.ca.us>
250-(deleted...)
250-(deleted...)
250-(deleted...)
250-(deleted...)
expn postmaster


250 Jeff Liebermann <je...@comix.comix.santa-cruz.ca.us>
quit

Besides EXPN, there's VRFY (verify) which can be tested from a
shopping list of possible guesses.

vrfy jeffl
250 Nice address <je...@comix.comix.santa-cruz.ca.us>
vrfy xxxx
250 Nice address <xx...@comix.comix.santa-cruz.ca.us>

Unfortunately, MMDF seems to like any address I throw at it, probably
because I'm using both the badusers and badhosts channel to deal with
creative addressing. Yep. Turning off the badusers channel, I get:

vrfy jeffl
250 Nice address <je...@comix.comix.santa-cruz.ca.us>
vrfy zzzz
550 (USER) Unknown user name in "zzzz"
vrfy root
250 Nice address <ro...@comix.comix.santa-cruz.ca.us>

There's a few other interesting and fun things to do. If you're
running DNS (don't know service), nslookup or the more more convenient
"host" command can excavate some interesting stuff. It won't reveal
user names, but will give a wider selection of machines worth
attacking. Note that in 3.2v4.2, the "host" binary is
/usr/mmdf/bin/host.

# host www.jpr.com
www.jpr.com is a nickname for jpr.com
jpr.com has address 198.207.210.2
jpr.com mail is handled by truth.murphy.com
jpr.com mail is handled by jpr.com
jpr.com mail is handled by etrn1.veriomail.com

# host -l jpr.com
jpr.com NS ns1.new-york.net
jpr.com NS ns2.new-york.net
jpr.com NS ns3.new-york.net
jpr.com has address 198.207.210.2
localhost.jpr.com has address 127.0.0.1

Oh well, no local DNS server at jpr.com.

Try the "host -l xxxx.com" command on some of the larger ISP's for a
nice shopping list. My favorite pastime is to discover obvious
printers and print cute messages to them.

# host -l redhat.com
redhat.com NS ns.redhat.com
redhat.com NS ns2.redhat.com
redhat.com NS ns3.redhat.com
redhat.com NS speedy.redhat.com
redhat.com has address 207.175.42.154
gribble.redhat.com has address 199.183.24.203
charlotte.redhat.com has address 199.183.24.253
scot.redhat.com NS odo.scot.redhat.com
odo.scot.redhat.com has address 195.89.149.241
scot.redhat.com NS speedy.redhat.com
scot.redhat.com NS ns.redhat.com
court.redhat.com has address 199.183.24.85
(about 700 machines deleted)
test.redhat.com NS peggy.test.redhat.com
peggy.test.redhat.com has address 207.175.44.2
test.redhat.com NS frodo.meridian.redhat.com
frodo.meridian.redhat.com has address 207.175.42.33
old-porkchop.redhat.com has address 207.175.42.165
gonzales.redhat.com has address 199.183.24.227


Oh well. Back to pulling dimes out of drives and putting humpty
dumpty back together again.

Steve Wertz

unread,
Jan 14, 2000, 3:00:00 AM1/14/00
to
Jeff Liebermann <je...@comix.santa-cruz.ca.us> wrote:

> Try the "host -l xxxx.com" command on some of the larger ISP's for a
> nice shopping list. My favorite pastime is to discover obvious
> printers and print cute messages to them.

It's amazing how often this works for HPNP (utilizes SNMP also, much
more devious) and lpd jobs, but telnet had been disabled.

-sw

Jeff Liebermann

unread,
Jan 14, 2000, 3:00:00 AM1/14/00
to
On Fri, 14 Jan 2000 04:19:37 GMT, Steve Wertz <swe...@swertz.scruznet.com>
wrote:

Shsssssh. While most of the hackers spend their time drawing system
topology maps using NMAP or a brute force port scanner, I just use SNMP.
Most people don't even know that it's there, enabled by default, and with
trivial community names, er... passwords. Where I get into trouble is when
someone is using NAT on their router. All I might get to see is the
router. Now that SCO has NAT, life will be more complex. The original
question was how the user account names leaked out, and SNMP will not
reveal those.

If you wanna see if you're vulnerable to SNMP attack, run:
getmany IP_address_of_target public iso
on your SCO Unix box from both inside and outside the firewall. If you get
buried in pages of weird numbers (OID's), you're wide open. If it just
sits there, you win. From Linux, the command is snmpget and snmpwalk. On
Windoze, you'll need to get a decent MIB browser. I use GetIF 2.1 from:
http://www.geocities.com/SiliconValley/Hills/8260/index.html

Also try this on HP print servers and printers. This isn't exactly a
security problem for the printers unless you wanna hide how many Soccer
Team schedules you've been running off on the company's laser printer.

If you're going to print to exposed internet laser printers, don't forget
to deal with the LF-CR translation by shoving the stuff through a filter.
cat filename | /usr/lib/lponlcr | netcat or hpnpf (etc)

RING... (telephone). Later.

--
Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
(831)421-6491 pgr (831)426-1240 fax (831)336-2558 home
http://www.cruzio.com/~jeffl WB6SSY
je...@comix.santa-cruz.ca.us je...@cruzio.com

0 new messages