SMTP Hacks and How to Guard Against Them

By Kevin Beaver

Some hacks exploit weaknesses in the Simple Mail Transfer Protocol (SMTP). This e-mail communication protocol was designed for functionality, not security. So, ensuring that you have some level of security will help protect your information.

Account enumeration

A clever way that attackers can verify whether e-mail accounts exist on a server is simply to telnet to the server on port 25 and run the VRFY command. The VRFY command makes a server check whether a specific user ID exists. Spammers often automate this method to perform a directory harvest attack, which is a way of gleaning valid e-mail addresses from a server or domain for hackers to use.

Attacks using account enumeration

Scripting this attack can test thousands of e-mail address combinations.

image0.jpg

The SMTP command EXPN might allow attackers to verify what mailing lists exist on a server. You can simply telnet to your e-mail server on port 25 and try EXPN on your system.

image1.jpg

Another way to somewhat automate the process is to use the EmailVerify program in TamoSoft’s Essential NetTools.

image2.jpg

Yet another way to capture valid e-mail addresses is to use theHarvester to glean addresses via Google and other search engines. You can download BackTrack Linux to burn the ISO image to CD or boot the image directly through VMWare or VirtualBox. In the BackTrack GUI, simply choose Backtrack→Information Gathering→SMTP→Goog Mail Enum and enter ./goog-mail.py –d <your_domain_name> -l 500 –b google.

image3.jpg

Countermeasures against account enumeration

If you’re running Exchange, account enumeration won’t be an issue. If you’re not running Exchange, the best solution for preventing this type of e-mail account enumeration depends on whether you need to enable the VRFY and EXPN commands:

  • Disable VRFY and EXPN unless you need your remote systems to gather user and mailing list information from your server.

  • If you need VRFY and EXPN functionality, check your e-mail server or e-mail firewall documentation for the ability to limit these commands to specific hosts on your network or the Internet.

Ensure that company e-mail addresses are not posted on the web.

Relay

SMTP relay lets users send e-mails through external servers. Open e-mail relays aren’t the problem they used to be, but you still need to check for them. Spammers and hackers can use an e-mail server to send spam or malware through e-mail under the guise of the unsuspecting open-relay owner.

Automatic testing

Here are a couple of easy ways to test your server for SMTP relay:

In NetScanTools Pro, you simply enter values for the SMTP mail server name, Your Sending Domain Name. Inside Test Message Settings, enter the Recipient Email Address and Sender’s Email Address.

When the test is complete, simply click View Relay Test Results.

image5.jpg

Manual testing

You can manually test your server for SMTP relay by telnetting to the e-mail server on port 25. Follow these steps:

  1. Telnet to your server on port 25.

    You can do this in two ways:

    • Use your favorite graphical telnet application, such as HyperTerminal or SecureCRT.

    • Enter the following command at a Windows or UNIX command prompt:

     telnet mailserver_address 25

    You should see the SMTP welcome banner when the connection is made.

  2. Enter a command to tell the server, “Hi, I’m connecting from this domain.”

  3. Enter a command to tell the server your e-mail address.

  4. Enter a command to tell the server who to send the e-mail to.

  5. Enter a command to tell the server that the message body is to follow.

  6. Enter the following text as the body of the message:

  7. End the command with a period on a line by itself.

    The final period marks the end of the message. After you enter this final period, your message will be sent if relaying is allowed.

  8. Check for relaying on your server:

    • Look for a message similar to Relay not allowed coming back from the server.

Countermeasures against SMTP relay attacks

You can implement the following countermeasures on your e-mail server to disable or at least control SMTP relaying:

  • Disable SMTP relay on your e-mail server. If you don’t know whether you need SMTP relay, you probably don’t. You can enable SMTP relay for specific hosts on the server or within your firewall configuration.

  • Enforce authentication if your e-mail server allows it. You might be able to require password authentication on an e-mail address that matches the e-mail server’s domain. Check your e-mail server and client documentation for details on setting this up.

E-mail header disclosures

If your e-mail client and server are configured with typical defaults, a hacker might find critical pieces of information:

  • Internal IP address of your e-mail client machine

  • Software versions of your client and e-mail server along with their vulnerabilities

  • Hostnames that can divulge your network naming conventions

Countermeasures against header disclosures

The best countermeasure to prevent information disclosures in e-mail headers is to configure your e-mail server or e-mail firewall to rewrite your headers, by either changing the information shown or removing it. Check your e-mail server or firewall documentation to see whether this is an option.

If header rewriting is not available, you still might prevent the sending of some critical information, such as server software version numbers and internal IP addresses.

Malware

E-mail systems are regularly attacked by such malware as viruses and worms. Verify that your antivirus software is actually working.

EICAR offers a safe option for checking the effectiveness of your antivirus software.

EICAR is a European-based malware think tank that has worked in conjunction with anti-malware vendors to provide this basic system test. The EICAR test string transmits in the body of an e-mail or as a file attachment so that you can see how your server and workstations respond. You basically access this file on your computer to see whether your antivirus software detects it:

image6.jpg

X5O!P%@AP[4PZX54(P^)7CC)7}$EICAR STANDARD-ANTIVIRUS-TEST-FILE!$H+H*