How does SMTP VRFY and EXPN enumeration reveal valid emails

Question

SMTP commands like VRFY and EXPN query mail servers. How are these used to confirm existing usernames or email addresses?

CaLLmeDaDDY · Answer 1 · 6 hours

SMTP commands like VRFY and EXPN are integral to the Simple Mail Transfer Protocol, facilitating the verification and expansion of email addresses and mailing lists. When misconfigured or left enabled, these commands can be exploited to enumerate valid email addresses on a mail server.

How SMTP VRFY and EXPN Enumeration Reveal Valid Emails?

1. VRFY (Verify) Command

Purpose: The VRFY command is used to verify if a specific email address or username exists on the mail server.
Mechanism: An attacker sends a VRFY request with a potential email address (e.g., VRFY user@example.com). If the email exists, the server responds with a success message, confirming the validity of the address. If the email doesn't exist, the server typically responds with an error message.

Example:

VRFY user@example.com

Response for valid email:
```
250 user@example.com
```
Response for invalid email:
```
550 user@example.com... User unknown
```

2. EXPN (Expand) Command

Purpose: The EXPN command is used to expand a mailing list to reveal all the email addresses it contains.
Mechanism: An attacker sends an EXPN request with the name of a mailing list (e.g., EXPN staff). If the mailing list exists, the server responds with a list of all email addresses subscribed to that list.
Example:
```
EXPN staff
```
- Response:
```
250 user1@example.com
250 user2@example.com
250 user3@example.com
```
This reveals the existence of multiple valid email addresses.

3. RCPT TO Command

Purpose: The RCPT TO command is used to specify the recipient of an email during the sending process.
Mechanism: While not primarily designed for enumeration, attackers can use the RCPT TO command to test if an email address is valid by observing the server's response.
Example:
```
RCPT TO:<user@example.com>
```
- Response for valid email:
```
250 OK
```
- Response for invalid email:
```
550 User unknown
```

Tools for SMTP Enumeration

Several tools can automate the process of SMTP enumeration:

smtp-user-enum: A tool that can use VRFY, EXPN, and RCPT TO commands to enumerate valid users.
- Usage:
```
smtp-user-enum -M VRFY -U users.txt -t mail.example.com
```

Metasploit: The Metasploit Framework includes modules for SMTP user enumeration.

Usage:

use auxiliary/scanner/smtp/smtp_enum
set RHOSTS mail.example.com
set USER_FILE users.txt
run

Nmap: Nmap's scripting engine includes scripts for SMTP enumeration.
- Usage:
```
nmap --script smtp-enum-users -p 25 mail.example.com
```

Security Implications

Allowing VRFY and EXPN commands can lead to information disclosure, aiding attackers in crafting targeted attacks. To mitigate risks:

Disable VRFY and EXPN: Configure the mail server to reject these commands.
Implement Rate Limiting: Limit the number of requests from a single IP address to prevent automated enumeration.
Monitor Logs: Regularly review server logs for unusual activity indicative of enumeration attempts.
Use CAPTCHA: Implement CAPTCHA mechanisms to prevent automated tools from interacting with the server.

Conclusion

SMTP commands like VRFY and EXPN can be valuable for legitimate administrative purposes but pose significant security risks if left enabled. Organizations should ensure these commands are disabled or properly secured to prevent unauthorized enumeration of valid email addresses, thereby protecting against potential attacks.