0

I was performing some SPAM Testing on an Axigen Server, when I discovered a flaw which I would like to know if it can be disabled.

On the System I was testing, the Server will spit out 550 Error messages whenever an invalid User is passed as an RCPT TO: Argument.

Example:

MAIL FROM: <Test@example.com>
250 Sender Accepted

RCPT TO: InvalidUser
550 User Not Found

RCPT TO: ValidUser
250 Recipient Accepted

I would like to know if it is possible to disable the 550 Messages, as this would allow an attacker to discover valid usernames.

masegaloeh
  • 18,236
  • 10
  • 57
  • 106
Andrew Borg
  • 9
  • 2

1 Answers1

0

The terms used to this kind of setup was catch-all email account. Axigen knowledge base has the article about How to set up a catchall account.

In order to receive mails directed to non-existent addresses on a local defined domain, please follow these steps:

  1. Login to the Webadmin interface using the admin account
  2. Navigate to Domains & Accounts -> Manage Domains -> Edit domain's preferences
  3. In the Catch-all area you have 3 options:
    • Reject (default)
    • Redirect to Public folder - if this is selected you must provide the name of the public folder where such emails will be delivered
    • Redirect to Account - if this is selected you must provide the account name (without the @domainname.tld because it is pre-assigned) and the folder where such emails will be delivered (for example: Inbox).

Additional note, quoted from similar question: Preventing RCPT TO: username enumeration in sendmail on ubuntu

A "catch all" address is not always a good solution. Think whether you want senders that typed the wrong address be informed of their mistake or not.

Community
  • 1
masegaloeh
  • 18,236
  • 10
  • 57
  • 106