On Fri, 28 Jan 2000, Tony Johnson wrote:
> [useful info about turning off expn/vrfy]
>
> these options give outside users the ability to see if a paticular username
> is valid on your system by telnetiing to smtp port. Someone, for example,
> could get all the users who are subscribed to this mailing list through expn
> and them spam them...
They're also handy for troubleshooting mail delivery problems, for example
they will let you verify (vrfy) whether an email address is valid or not,
and expand (expn) an alias.
Telnet to your own port 25. You might be surprised how user-friendly smtp
servers are, considering what they're intended for. :-)
Try typing things like:
expn root
vrfy root
expn yourownusername
vrfy yourownusername
expn bogususername
vrfy bogususername
expn something-list
Do this on your own machine, or a machine run by someone who knows you
well, lest your learning experience be mistaken for a pre-attack
surveillance exercise. :-)
Expanding a majordomo list won't give you the names of the subscribers (at
least not on my machine, maybe it depends on configuration), but if you
set up a simple list with your /etc/aliases file you will see the
addresses on that list.
[If you want to know who is on a list, try sending "who something-list" to
the majordomo address. Sometimes it works, sometimes it doesn't.]
Back in the early days of spam hunting, expn/vrfy was a somewhat useful
way to determine whether or not an address was real or bogus, sometimes
you'd find that a spammer had set up a temporary address that forwarded to
their "real" account, stuff like that. They can reveal more than you'd
want an outsider to know though, so more and more servers are disabling
them. I kinda miss it sometimes. :-)
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
