1

Messing around I found a critical SMTP server with VRFY command enabled.

schroeder
  • 129,372
  • 55
  • 299
  • 340
penguin
  • 21
  • 1
  • 3
  • My Google search blew up with great results when I searched for your question title. Did you do any research? – schroeder Oct 13 '15 at 19:08
  • I read a little earlier this week, I guess its obvious it is a "user enumeration vulnerability" my question should then maybe be does anyone care about "user enumeration vulnerabilities on SMTP servers. How severe is it usually judged. If anyone wants to check it out I will send them the address. – penguin Oct 13 '15 at 19:14
  • 3
    Can you include those elements to your question? – schroeder Oct 13 '15 at 19:45
  • 2
    I'm voting to close this question as off-topic because the OP did not share any previous efforts to let us know what he does not understand with this basic question –  Oct 14 '15 at 04:48

3 Answers3

6

Yes, but often as part of a combination of vulnerabilities. For example, if you find a system that has a login (FTP, telnet, or other) that needs a username and password, and there's an SMTP server on the same network or even server, then the VRFY command (can often give clues to the usernames that might work for brute forcing the login.

Sometimes these very 'minor' vulnerabilities, often leaks of information, can be combined into something more serious.

Unless there is a very good reason to have this function on an SMTP server, it's a good idea to turn it off.

Similarly, you could consider silently dropping emails to non-existent accounts so that the email server can't be used for user enumeration (bouncing off emails looking for failed deliveries), but this is controversial because it's sometimes more important to tell legitimate users that they have made a mistake in the email address (and with silent drop they wouldn't know).

And... it suggests that the server lock-down might not be as good as it could be and might be worth looking at a little more closely!

David Scholefield
  • 1,844
  • 12
  • 21
1

VRFY is a vulnerability for phishing, but these days if I see it enabled, it marks all SMTP addresses as valid... so it's still useless.

makerofthings7
  • 50,918
  • 55
  • 261
  • 556
  • Yeah I had that happen on another server, but on this server I am testing admin@site was valid but 72789273872983798237328739@site was not so I think its real – penguin Oct 13 '15 at 19:12
0

The SMTP VRFY command can be used by adversary to verify if an account is valid. Telnet to your e-mail server on port 25 and then type VRFY info@example.com.

Kumar
  • 1
  • 1