| Posted by Johnny Cache, 10-26-2012, 10:19 PM | | The Google search results point to "yes", but I haven't yet found anything that completely confirms this.
Today I signed a client who's got an office on my floor, after his Go Daddy "Dream Team" developed website's unprotected contact form and sales@ mailbox were targeted by what appears to me as a dictionary attack. Hundreds of postmaster@//apache@ delivery failures from common domains like bbb.org/ups.com/microsoftmail.com - and several hundred ccTLD domain extensions. What's more, the "Dream" team didn't captcha the contact form which also has the potential for abuse. (Note: I am unaware if GoDaddy offered to captcha and the client denied, so I'm not pointing fingers yet)
As I know it, running VRFY can produce this type of behavior. I've not enabled callout verification on my shared hosting VM, but I've corrected this for a small handful of my VPS clients who enabled it without researching, assuming it's a good idea because of the word "verify" - yet whenever I turn it off, the logs immediately go back to the normal customer/legit activity.
Does anyone know for particular that Go Daddy does have VRFY enabled?
Thanks --John
|
| Posted by BestServerSupport, 10-26-2012, 11:32 PM | | I think it will be better to directly confirm this with Godaddy Support people by submitting a ticket.
|
| Posted by Johnny Cache, 10-27-2012, 12:03 AM | | I've considered that, but since I'm not their customer, I doubt they would disclose such information to a total stranger, if at all. I figured I'd start here first. Besides, although it would be good info to have, next week it technically doesn't concern me.
Thank you, however, for the suggestion!
|
| Posted by MikeZavatta, 10-29-2012, 04:06 PM | | John,
Let me see if I can help answer your questions about Go Daddy. First, our Dream Design Team can add captchas to forms upon request. Second, you seems like you are asking if we have checks in place to verify if an address exists. We do. If an email is sent to an email address that doesn't exist it will be bounced back unless that domain has a catchall email address setup. If I misunderstood your question about email please let me know.
|
| Posted by Johnny Cache, 10-29-2012, 10:22 PM | | Thanks very much for responding publicly with answers to my question. I'll pass this on to the client so that he can contact you about having these changes made.
I'm willing to admit that my assumption about disclosing information to someone who's not a customer, was incorrect.
|
| Posted by MikeZavatta, 10-30-2012, 03:18 PM | | I am glad I could help. If you have any other questions I will do my best to answer them.
|
|
 Add to Favourites
 Print this Article
|
