Simple Mail Transfer Protocol (SMTP) is an application-layer protocol used over TCP/IP for sending and relaying emails between servers. SMTP Enumeration involves probing mail servers to identify valid users, system behavior and misconfigurations, often aiding penetration testing for discovering accounts usable in attacks like phishing or brute-force attempts.
- Enumeration helps identify valid email users
- Misconfigurations may expose user information
- Common ports: 25 (SMTP), 587 (submission), 465 (SMTPS)
Important SMTP Commands Used in Enumeration
- VRFY (Verify): Checks if a specific user exists. May return valid usernames if enabled
- EXPN (Expand): Expands mailing lists into individual addresses. Can expose multiple user accounts
- RCPT TO: Tests whether a recipient email address is valid. Helps confirm active mailboxes
Note: If a server responds positively to these commands, it may unintentionally expose valid user accounts.
SMTP Architecture Context
SMTP works within a client-server model:
- SMTP Client: Sends email requests
- SMTP Server: Processes and forwards email messages
- Mail Transfer Agents (MTAs): Relay emails between servers
SMTP Enumeration Techniques
SMTP enumeration can be performed by using different tools and scripts like telnet, Nmap and smtp-user-enum.
1. Using Telnet for SMTP enumeration
Telnet allows manual interaction with SMTP servers. By connecting to the SMTP service, an attacker can test commands such as VRFY, EXPN, MAIL FROM and RCPT TO to discover valid users and server behavior.
Syntax:
telnet <domain/IP> <port>- <domain/IP>: Target mail server
- <port>: SMTP port (usually 25, 587 or 465)
Output:
later you can use EXPN, MAIL FROM and RCPT TO after connecting to the target host.
2. Using Nmap for SMTP enumeration
Nmap provides NSE scripts that help enumerate SMTP users and gather server details such as valid accounts and configuration behavior.
sudo nmap -p 25 --script smtp-enum-users <target IP/domain>- -p 25: SMTP port
- --script smtp-enum-users: Enumerates valid SMTP users
- <target>: Target domain or IP
Example:
3. Using Metasploit for SMTP Enumeration
Metasploit provides auxiliary modules for SMTP enumeration, such as smtp_enum and smtp_version, which help identify valid users and SMTP server details.
smtp_enum Module:
msf6 > use auxiliary/scanner/smtp/smtp_enum
msf6 auxiliary(smtp_enum) > set RHOSTS <target IP>
msf6 auxiliary(smtp_enum) > set RPORT 25
msf6 auxiliary(smtp_enum) > set USER_FILE <path_to_user_list>
msf6 auxiliary(smtp_enum) > run
- RHOSTS: Target IP
- RPORT: SMTP port
- USER_FILE: File containing possible usernames
Output:
smtp_version Module:
msf6 > use auxiliary/scanner/smtp/smtp_version
msf6 auxiliary(smtp_version) > set RHOSTS <target IP>
msf6 auxiliary(smtp_version) > set THREADS 250
msf6 auxiliary(smtp_version) > run
- RHOSTS: Target system
- THREADS: Number of parallel requests
Output:
Security Considerations
- Disable VRFY and EXPN commands on production servers
- Restrict SMTP access to trusted networks only
- Implement authentication for mail submission (SMTP AUTH)
- Use encrypted communication (STARTTLS or SMTPS)
- Monitor SMTP logs for enumeration attempts
- Prevent user enumeration through generic server responses
Use Cases of SMTP Enumeration
- Penetration testing for email security
- Identifying valid user accounts for phishing simulations
- Auditing mail server configurations
- Detecting insecure SMTP implementations
- Training cybersecurity professionals on email-based attacks