*BSD News Article 73602


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.eng.convex.com!newshost.convex.com!newsgate.duke.edu!news.mathworks.com!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news
From: j@uriah.heep.sax.de (J Wunsch)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Mail......What does this mean??
Date: 13 Jul 1996 11:51:30 GMT
Organization: Private BSD site, Dresden
Lines: 44
Message-ID: <4s82k2$n33@uriah.heep.sax.de>
References: <31e6811d.21963902@news.hq.af.mil>
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
NNTP-Posting-Host: localhost.heep.sax.de
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Newsreader: knews 0.9.6
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E

sgregory@pubspo.hq.af.mil (Scott Gregory) wrote:

> Three lines like this (names have been changed to protect the guilty
> :-) ) appeared in my /var/log/maillog.
> 
> Jul 12 10:38:43 my.sys.name sendmail[17654]:  foo.bar
> [123.123.123.123]: vrfy lhammer
> 
> Each entry had a different last word (I assume this is a username?).

Yep, it's a (supposed to be) username.

> What does this mean??  I know date, time, sys name, log entry,
> offending system, translated address, but what are they doing with
> "vrfy lhammer"

The VRFY command asks sendmail to verify that a particular address
could be delivered.  Likewise, the EXPN command requests a possible
expansion of alias lists.  Both are described in the SMTP RFCs.

> Is this a security concern??  I'm STILL new at this so please explain
> in detail.

If you see an extended amount of them, and you have a reason to
distrust the originator, yes, it may be a security concern.  (That's
why they are being logged.)  It looks like somebody was trying to
probe for some usernames in order to get a list of possible accounts
on your system.  Once he's got this list, he might try to abuse the
accounts.  So watch out all your messages about LOGIN FAILURE's.
FreeBSD is rather paranoid about logging them, you are allowed for
just one mistyped username or password before it's going to be logged.

Note that you could tell syslogd to pop up all these (login failure,
bad SU etc.) messages onto your terminals where you are logged in.
Makes for a good security alert scenario.  The potential intruder is
being announced to you even before he could issue a single `ls' or
`who'. :-))

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)