Re: e-mail address mining tool?

From: Tomasz Nidecki (tonid@hakin9.org)
Date: Wed Nov 09 2005 - 06:30:30 EST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Tuesday, November 8, 2005, 6:27:28 PM, Hugo wrote:

> I agree whit every thing u said Tomas, but from the point off view
> off a penetration testing it would be a very nice way to get what
> users are valid on that domain. assuming that the only service
> available is external mail for the users, witch is the case I'm
> working right know.

Understandable. Well, then I guess your best choice is to make a
dictionary or brute force attack on the mail server, attempting to
send mail to either dictionary-based addresses or all possible
addresses [ouch], giving a specific MAIL FROM, where you'd be
receiving bounces from inexistant accounts, and you can even parse
them automatically with some kind of a script.

The best strategy I guess would be to send mail with empty contents,
no headers. This will be treated by most users as "something strange
that they've received but they have no idea why and how". However,
this is noisy, since if you hit an admin account, the admin will be
able to see your IP address and your return address in headers. And,
unfortunately, an open proxy will not help much here, since in order
for this test to be succesful, you must receive responses, and unless
you use an 0wn3d box for that, someone can always easily track you 8].

The worst thing that could happen is that the target domain has a
default-account strategy and all your mail will end up on one account,
probably an admin or management account. Then it will look like a
mailbomb and if your pentest is to be silent, not noisy, this is not a
good idea at all. The way you can test this is sending an empty mail
to some completely bogus address like: qwertyuiop@domain.com and see
whether it bounces. If it doesn't bounce, you're probably dealing with
a default-account strategy and there is no way you can use SMTP to
check for existing accounts. If it bounces, it's definitely not using
a default-account strategy so you can proceed with your pentest 8]

> Now comes the question, if i develop such tool, and the spamers get
> the hands on it i will kill my self :), i don't want no more
> sper..... pills mails or... well i think u know what i mean.

Hrhr, not to worry. Spammers have used that strategy for a long time.
Haven't you ever received some mail that has no typical headers, no
body, just Received:, Return-Path:, Delivered-To: etc.? Well, I have
and the only reason to explain such mails is that spammers are testing
the validity of the e-mail address. If it bounces, the account is
invalid. If it doesn't, mail will end up somewhere [even with the
default-account strategy], so the spammer is happy. So don't worry,
you won't be reinventing a wheel 8].

The biggest problem with such a tool, I guess, would be parsing of the
return data, since bounces are in as many formats as there are
mailservers out there and you'd need to use regexps for different
types of mailservers in order to automatically parse the bounces.

- --
Tomasz Nidecki, Sekr. Redakcji / Managing Editor
hakin9 magazine http://www.hakin9.org
mailto:tonid@hakin9.org jid:tonid@tonid.net

Do you know what "hacker" means?
http://www.catb.org/~esr/faqs/hacker-howto.html

Czy wiesz, co znaczy slowo "haker"?
http://www.jtz.org.pl/Inne/hacker-howto-pl.html

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUAQ3Hd1kR7PdagQ735AQFihAQAjXEwLLp/ULPl3pSfQxv5CU2+MgmQ/fGa
mR3Rp35/tKn27rI0lyPPOLNsVPiN/vCP0Ujp3Y5/jGYUtzGcCsS51x3ltpeLBj2L
2PZr+v9KqJmEfd4l8HkvDy4bSXIO204qAlZoPhJT9CkKxK/kKWBRO0u7yuI6OmxB
6B0HlUYB5bw=
=jHgI
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:09 EDT