SMTP Enumeration.

Yet another effective way of gathering information from a target is through the use of SMTP. This protocol is designed to send messages between servers that send and receive email. SMTP is the standard used by the majority of email servers and clients today. So how is this protocol used to gather information from a server? The process is quite simple if you have a fundamental understanding of a few commands and how to use them.

Using VRFY

One easy way to verify the existence of email accounts on a server is by using the telnet command to attach to the target and extract the information. The VRFY command is used within the protocol to check whether a specific user ID is present. However, this same command can be used by an attacker to locate valid accounts for attack, and if scripted, it could also be used to extract multiple accounts in a short time.

Using EXPN

EXPN is another valuable command for a pentester or an attacker. The command is similar in functioning to the VRFY command, but rather than returning one user, it can return all the users on a distribution list:

telnet 25 (where is the server IP and 25 is the port for SMTP) 220 server1 ESMTP Sendmail 8.9.3


501 HELO requires domain address


250 server1 Hello [], pleased to meet you

EXPN link

250 Super-User <link@myhost>

EXPN zelda

550 zelda… User unknown


The command RCPT TO identifies the recipient of an email message. This command can be repeated multiple times for a given message in order to deliver a single message to multiple recipients.

SMTP Relay

The SMTP Relay service lets users send emails through external servers. Open email relays aren’t the problem they used to be, but you still need to check for them. Spammers and hackers can use an email server to send spam or malware through email under the guise of the unsuspecting open-relay owner.


Leave a Reply

Your email address will not be published. Required fields are marked *