On Fri, 10 Sep 1999, Dave Sill wrote:

> Sam <[EMAIL PROTECTED]> wrote:
> 
> >[EMAIL PROTECTED] writes:
> >
> >> Anyhow, I realize that giving information "up front" on working
> >> usernames on the system is probably at least a small security risk,
> >> so I'd rather not do that,
> >
> >I've yet to see anyone make a cogent argument for this, instead of
> >accepting it as a given.
> 
> It's pretty obvious. Given two systems, one that advertises users and
> one that doesn't, and an infinite supply of kiddie krackers doing
> brute-force searches for accounts with easy-to-guess passwords, the

It's much easier to scrape the same accounts from the web or Usenet.

Furthermore, you ignored the rest of my post, which compared whatever
miniscule benefit you get from practicing security through obscurity
weighed against your server now being a willing accomplice in a
denial-of-service attack.  The same script kiddies are far less likely to
select a nailed down service in order to mailbomb someone by proxy,
instead it's much easier to shove a few thousand messages with a few
thousand bad recipients into Qmail's queue, then sit back and watch Qmail
unload a few million messages into the target's mailbox.

> system that advertises usernames will be broken into first, on
> average, because the crackers will waste less time trying to break
> into nonexistent accounts.

I've yet to hear of a single documented case of someone using sendmail in
this fashion in order to crack into accounts.  If a cracker wants to
collect valid addresses to try to crack into, they're far less likely to
start banging on port 25 which is usually logged on sendmail boxes, and be
notices, instead of simply harvest the addresses off the search engines or
Dejanews, which is virtually undetectable.

Reply via email to