SMTP Enumeration

What is SMTP?

The Simple Mail Transport Protocol has been around since the birth of computing.  SMTP is very simple and is used to send email messages as opposed to POP3 or IMAP which can be used to both send and receive messages. It is, as generally are all protocols defined by a distinct set of rules (RFC's) which govern how it works and should respond.

SMTP generally relies on using Mail Exchange (MX) servers to direct the mail to via the Domain Name Service, however, should an MX server not be detected, SMTP will revert and try an A or alternatively SRV records. 

SMTP generally runs on port 25, although I have seen on a number of occasions it running on port 587 (submission).

Being a simple protocol, it is possible to directly interact with SMTP via the use of a telnet prompt i.e.

telnet 192.168.0.1 25

220 uk03.cak.uk ESMTP Sendmail 8.9.3; Wed, 9 Nov 2005 15:29:50 GMT

EXPN ROOT

250 <root@uk03.nu.cak.uk>

250 <smith.j@uk03.nu.cak.uk>

EXPN BIN

250 <bin@uk03.nu.cak.uk>

VRFY NOBODY

250 <nobody@uk03.nu.cak.uk>

EXPN NOBODY

250 /dev/null@uk03.nu.cak.uk>

VRFY ORACLE

550 ORACLE... User unknown

QUIT

Enumerates that there are a number of valid accounts on this host, notably root and smith.j.  From this information you could then try and brute-force the password having the username already or if you were a spammer, would have some valid accounts to send mail to.

A more detailed explanation and links to associated documentation and RFC's etc. can be found here.

Hopefully the tools I have reviewed will go some way to help you enumerate any SMTP servers you find.