SMTP Enumeration

Gathering information from a target is through the use of SMTP. This protocol is designed to send messages between servers that send and receive e-mail. SMTP is the standard used by the majority of e-mail servers and clients today. So how is this protocol used to gather information from a server? The process is quite simple if you have a fundamental understanding of a few commands and how to use them.

Using VRFY

One easy way to verify the existence of e-mail accounts on a server is by using the tel- net command to attach to the target and extract the information. The VRFY command is used within the protocol to check whether a specific user ID is present. However, this same command can be used by an attacker to locate valid accounts for attack, and if scripted, it could also be used to extract multiple accounts in a short time, as shown here: telnet 10.0.0.1 25 (where 10.0.0.1 is the server IP and 25 is the port for SMTP)

220 server1 ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 server1 Hello [10.0.0.72], pleased to meet you
VRFY chell
250 Super-User <link@server1>
VRFY glados
550 glados… User unknown

Using RCPT TO

The command RCPT TO identifies the recipient of an e-mail message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple recipients. Here’s an example:
telnet 10.0.0.1 25
220 server1 ESMTP Sendmail 8.9.3

HELO
501 HELO requires domain address
HELO x
250 server1 Hello [10.0.0.72], pleased to meet you
MAIL FROM:link
250 link… Sender ok
RCPT TO:link
250 link… Recipient ok
RCPT TO: zelda
550 zelda… User unknown

SMTP Relay
The SMTP Relay service lets users send e-mails through external servers. Open e-mail relays aren’t the problem they used to be, but you still need to check for them. Spammers and hackers can use an e-mail server to send spam or malware through e-mail under the guise of the unsuspecting open-relay owner.