COMMAND

    NTmail

SYSTEMS AFFECTED

    Those running NTmail version 4 or 5

PROBLEM

    George found following.  In the configuration screens there is  an
    option on the ESMTP  settings to turn the  VRFY command off.   Geo
    had  his  mail  servers  set  that  way  knowing that VRFY is then
    disabled.  Running David's CIS.EXE  program and low and behold  it
    shows that  mail servers  have VRFY  turned ON!!   What does  this
    mean you  ask?   Well the  spammers use  scripts to  harvest email
    addresses, these scripts basically  run a brute force  "attack" on
    a mail  server trying  a dictionary  of common  email addresses to
    see  if  they  exist,  they  harvest  the ones they can confirm as
    active.

    With the vrfy command enabled it makes this incredibly easy,  here
    is a sample session:

        J:\>netcat mail.gordano.com 25
        220 mail.net-shopper.co.uk NTMail (v5.01.0003/AB0000.00.719cfeeb) ready for
        ESMTP transfer
        vrfy johns
        250 johns@net-shopper.co.uk <johns@net-shopper.co.uk>.
        vrfy postmaster
        250 postmaster@net-shopper.co.uk <postmaster@net-shopper.co.uk>.
        vrfy xxxxx
        557 String does not match anything.

    As you can see, the mail  server happily tells them not only  when
    they  hit  an  active  account  but  it gives them the domain name
    making it  very easy  to write  a single  script that  can be used
    against ALL NTmail 4 or 5 servers for email address harvesting.

SOLUTION

    This has been raised as an  Observation Report to be fixed in  the
    next release  of NTMail.   To switch  of the  VRFY command, select
    "Support > System Variables"  and choose the "AllowVRFY"  variable
    from the drop-down.   Set this to  the value 0  and press  "Change
    Value".  You will now see the response:

        558 VRFY not allowed

    In NTmail 5 this  does fix things and  turns VRFY off, however  in
    NTmail 4.3c it is broken and does nothing.