Analyzing attacks on e-mail communications
E-mail communications can be tampered with to send spam messages and fake e-mails from important mail accounts, and even the recent Shellshock vulnerability can be exploited.
The users on an SMTP server can be enumerated by using the EXPN, VRFY, or RCPT commands. This can be achieved either manually by simply connecting to the SMTP server over port 25 and running the respective commands as shown in the following screenshot, or automatically via tools such as Nmap and Metasploit, which are discussed further in this section.
Manual SMTP enumeration using VRFY command
Detecting SMTP enumeration
To detect any SMTP enumeration attempts, we need to look for the following indications:
- A lot of
VRFYorEXPNcommands in the trace file - Packets containing
MAILandRCPTcommands with very less or noDATAcommands - A significant number of packets containing SMTP response code of
550 - Bunch of
RSETcommands
Using auxiliary module in Metasploit
Metasploit contains an auxiliary...
