EXPN security > Forums

	Register Login
	January 5, 2009

Search Web Site

You are here: Forums

Home

ArGoStuff

Forums

Articles

Cyber Security Tips

FAQ

Downloads

Links

Top 10 Links

Well Known Port Numbers	1284

Open Relay Test	1199

DNS Report	1139

Can Spam Act Information	996

Port Detective	978

Cobri Computer Services	976

DotNetNuke (DNN)	882

Network Abuse Clearinghouse Mail Relay Ttesting	875

Test Virus Sender	860

SPF Set Up Wizard	585

ArGoStuff User to User Support Forums

Unanswered Active Topics

Forums Search

Forums > General Discussion Forums > ArGoSoft Mail Server

Subject: EXPN security

Prev Next

You are not authorized to post a reply.

Author

Messages

coriolis

Posts: 3
Online: User is Offline

ArGoNuke Recruit

11-06-2008 12:25 PM
Hello, Is there a way to turn off the VRFY/EXPN commands? My company recently underwent a security audit and my machine failed, alas, due to the presence of these commands in the SMTP server. The risk was given to our management as "The VRFY command allows an attacker to determine if an account exists on a system, providing significant assistance to a brute force attack on user accounts." Thank you!

mcorrow
Forum Moderator
Posts: 243
Online: User is Offline

ArGoNuke Lt. JG

11-06-2008 12:42 PM
Coriolis: Do you have lockout manager enabled? I'm not sure if it works for VRFY, but we have ours set so that users get 2 invalid tries before they are locked out for a long time. On my system, that stops the brute force attacks..

Matt

coriolis

Posts: 3
Online: User is Offline

ArGoNuke Recruit

11-06-2008 12:57 PM
I have lockout manager enabled and the maximum number of invalid commands set to three. The only EXPN commands I see in my logs are from this security testing company, and actually I see errors returned for usernames such as "root" which I know to exist as mail accounts. I think I'm in pretty good shape versus an actual attack but I'd like to give a stronger answer to my management.

mcorrow
Forum Moderator
Posts: 243
Online: User is Offline

ArGoNuke Lt. JG

11-06-2008 1:05 PM
When you say 'usernames such as "root"', do you mean without a domain name attached? All of your user accounts are set up under a domain name, right? If all of your users are defined under a domain name, they cannot be accessed without also specifying the domain name, which would cause an error.. Sounds like you have it set up correctly, and with lockout manager on, the brute force attacks cannot compromise the server.. If you are seeing repeated attacks, you can merely extend the lockout time (we actually have ours set to 1439 minutes, or one day)...

Matt

coriolis

Posts: 3
Online: User is Offline

ArGoNuke Recruit

11-06-2008 1:31 PM
All of my accounts are under a domain name, yes. By "cause an error", do you mean that specifying the domain name in the EXPN command would cause an error in the ArGoSoft implementation? The syntax I've read for EXPN doesn't seem to say one way or the other, but I tried connecting to the mail server and couldn't get a successful EXPN under either "root" or "root@(domain)". Thank you for your help!

mcorrow
Forum Moderator
Posts: 243
Online: User is Offline

ArGoNuke Lt. JG

11-06-2008 3:16 PM
I'm not sure about the EXPN (only have seen vrfy)... No, I meant if they try to verify an account without also sending a domain name, you will give them an error, because there are no accounts that do not have a domain name... that's the "brute force" attacks we've seen, essentially amounting to a denial of service attack....

Matt

SteveT
Forum Administrator

Posts: 2594
Online: User is Offline

ArGoNuke Admiral

11-07-2008 2:37 PM
Hi All, I use the .NET version but I do have a copy of the Win32 version installed for testing. Upon reviewing this thread I did some research and found the following: http://www.gordano.com/kb.htm?q=319 The VRFY clause is a method of verifying the existence of a user on a mail server. Normally you an either verify the existence of particular usr or use a wildcard verify (VRFY *) to ask the server to return a complete list of users. This latter option is rarely enabled on mail servers nowadays as it was used widely by spammers to harvest email addresses, indeed most mail servers nowadays can disable the VRFY option altogether. Gordanos products disable the VRFY command by default. http://www.gordano.com/kb.htm?q=980 EXPN can be used to request, or expand, a mailing list on the remote server. The sending server can query the receiving server to see if it will accept Enhanced SMTP commands. If it does it will send back to the connecting server the enhanced commands it will accept. If EXPN is listed, it can be used. p> If the receiving server accepts EXPN, your string should identify a particular mailing list. The multiline response may include the full name of all users and must provide the mailboxes on the mailing list. That being said, I tested my Win32 version of ArGo for these comands. They are rejected by the server. I used the Samp Spade v1.1.4 (win32 version), which has an SMTP digg feature. You can see the results for yourself: 11/07/08 14:25:59 SMTP Verify maillist@192.168.1.21, at 192.168.1.21 Contacting 192.168.1.21 220 mail.topcatcomputing.dev ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.9.3) HELO example.com 250 Welcome, 192.168.1.21 𖐸.168.1.21], pleased to meet you VRFY maillist@192.168.1.21 502 Unknown command Doesn't want to talk to us RSET 250 Reset state EXPN maillist@192.168.1.21 550 List maillist@192.168.1.21 not found Doesn't want to talk to us RSET 250 Reset state MAIL FROM:<spade@example.com> 250 Sender "spade@example.com" OK... RCPT TO:<maillist@192.168.1.21> 554 Mailing list contains remote users. Authentication required for relay Doesn't want to talk to us RSET 250 Reset state QUIT 221 Aba he 11/07/08 14:25:16 SMTP Verify steve@192.168.1.21, at 192.168.1.21 Contacting 192.168.1.21 220 mail.topcatcomputing.dev ArGoSoft Mail Server Pro for WinNT/2000/XP, Version 1.8 (1.8.9.3) HELO example.com 250 Welcome, 192.168.1.21 𖐸.168.1.21], pleased to meet you VRFY steve@192.168.1.21 502 Unknown command Doesn't want to talk to us RSET 250 Reset state EXPN steve@192.168.1.21 550 List steve@192.168.1.21 not found Doesn't want to talk to us RSET 250 Reset state MAIL FROM:<spade@example.com> 250 Sender "spade@example.com" OK... RCPT TO:<steve@192.168.1.21> 250 Recipient "steve@192.168.1.21" OK... RCPT TO:<bogus85916@192.168.1.21> 550 User unknown <bogus85916@192.168.1.21> Doesn't want to talk to us RSET 250 Reset state QUIT 221 Aba he Did these commands return results in your Security Audit?

Regards, Steve Topilnycky Top Cat Computing http://www.topcatcomputing.com

You are not authorized to post a reply.

Forums > General Discussion Forums > ArGoSoft Mail Server > EXPN security

ActiveForums 3.7

Donations

Find our site useful? Make a donation to show your support

ArGoStuff Supporters

News from ArGoSoft

1 2 3 4 5 6

Mail Server v1.0.5.9

Mail Server

Added additonal tracking of connections for SMTP and POP3: if they stay on for over 30 minutes, they are getting disconnected;
Fixed a problem with mailbags when they accept mail only when main server is down: in case of timeout mailbags were still treating the main server as "available" and rejecting mail;
Changed color coding of logs. Now red denotes only errors, delivery is green, POP3, SMTP, IMAP connections - blue;

Web Interface

Fixed a problem, when session timeouts were causing errors in the windows system logs;

1/2/2009 1:52:01 PM

Happy Holidays to All!!!

Just wanted to wish everybody Happy Holidays, and wish all the best to all in 2009

Looking forward to work with you next year!

Archie

12/23/2008 10:13:32 PM

Mail Server Pro v1.8.9.6

Improved Export to .NET function - sometimes email messages were not getting exported, because the database of email messages was not up to date. Now each folder gets rebuilt before the export function;

12/2/2008 11:19:02 PM

Email Address Validator

We have discontinued our email address validation service, and launched new web site:

http://www.emailaddressvalidator.com

It provides the web service interface to validate lists of email addresses. We hope that our service will help to reduce unwanted traffic on Internet, ensuring that mail is sent only to valid and legitimate addresses.

11/25/2008 10:13:02 AM

Mail Server v1.0.5.8

Mail Server

Mailbags now have an option to accept mail only when specified server is down - will help to fight with spam which attempt to deliver mail bypassing the main server;
When delivering mail, if main exchanger returns 4xx reply (temporary problem), the server will not try other exchangers, will retry later the main exchanger;
Server options moved from registry to a XML file. 64 bit versions of Vista and 2008 server appear to be having access rights problems to the Windows registry, and the change will make our server more compatible with 64 bit versions;
Added an option to specify the number of lines on the log screen, when using the user interface. Was causing memory problems if left running for long time;
Fixed couple of problems, which were showing when SQL server was set up to use case sensitive SQL statements;
Made changes in the remoting interface to allow logging in using aliases;

Web Interface

Made changes to allow logging in using aliases;
When viewing folders, web interface now displays the name of logged in user;

11/12/2008 2:31:31 PM

1 2 3 4 5 6

Home:ArGoStuff:Forums:Articles:Cyber Security Tips:FAQ:Downloads:Links
Copyright 2006-2008 by ArGoStuff Terms Of Use Privacy Statement