Sendmail VRFY contents.gifindex.gif

Sendmail VRFY

VRFY allows an intruder to determine if an account exists on a system, providing a significant assistance to a brute force attack on user accounts. It provides additional information concerning users on the system, such as if they exist and their full names. The scan engine verifies whether VRFY is turned on in sendmail.

Risk: Low/Medium

Test Performed: The scan engine verifies whether VRFY is turned on in sendmail. This provides additional information concerning users on the system, such as if they exist and their full names.

Fix: If you are running sendmail, add the following line to your sendmail configuration file (usually located in /etc/sendmail.cf):

Opnovrfy

For other mail servers, contact your vendor for information on how to disable the verify command.