Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!daily-planet.execpc.com!newspump.sol.net!newsfeeder.sdsu.edu!hookup!news.mathworks.com!nntp.primenet.com!news.cais.net!rtd.com!dgy From: dgy@rtd.com (Don Yuniskis) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Mail......What does this mean?? Date: 19 Jul 1996 21:35:09 GMT Organization: CICDO Lines: 39 Message-ID: <4sov2d$5fn@baygull.rtd.com> References: <31e6811d.21963902@news.hq.af.mil> NNTP-Posting-Host: seagull.rtd.com In article <31e6811d.21963902@news.hq.af.mil>, Scott Gregory <sgregory@pubspo.hq.af.mil> wrote: >Three lines like this (names have been changed to protect the guilty >:-) ) appeared in my /var/log/maillog. > >Jul 12 10:38:43 my.sys.name sendmail[17654]: foo.bar >[123.123.123.123]: vrfy lhammer > >Each entry had a different last word (I assume this is a username?). > >What does this mean?? I know date, time, sys name, log entry, >offending system, translated address, but what are they doing with >"vrfy lhammer" This shows an external host tried to "verify" an address (i.e. user name) on your system. >Is this a security concern?? I'm STILL new at this so please explain >in detail. It "depends"... some mail programs routinely verify addresses before attempting delivery. So, it could be "harmless". But, it's also a back door by which folks can see just what addresses (a.k.a. user names, *accounts*!!) exist on your system. Once they have a user/account name, they can then start searching (trying) for a password to fit! Are all of the queries from a particular site? Do any of the names queried "make sense" (i.e. current accounts or accounts that are now "expired")? Do you actually receive any mail from that site? You could make your system less "permissive/open" by tweeking the "privacy" option in sendmail.cf (look for a line that begins with "Op") to disable your sendmail's support for VRFY, etc. If you do this and mail from that site breaks, you may have to negotiate with the site to have them use a different transport agent... --don