Banner Grabs Can Give a Hacker Information to Attack E-mail - dummies

Banner Grabs Can Give a Hacker Information to Attack E-mail

By Kevin Beaver

When hacking an e-mail server, a hacker’s first order of business is performing a basic banner grab to see whether he can discover what e-mail server software is running. This is one of the most critical tests to find out what the world knows about your SMTP, POP3, and IMAP servers.

Gather information

You can see the banner displayed on an e-mail server when a basic telnet connection is made on port 25 (SMTP). To do this, at a command prompt, simply enter telnet ip_or_hostname_of_your_server 25. This opens a telnet session on TCP port 25.


The e-mail software type and server version are often very obvious and give hackers some ideas about possible attacks, especially if they search a vulnerability database for known vulnerabilities of that software version.


You can gather information on POP3 and IMAP e-mail services by telnetting to port 110 (POP3) or port 143 (IMAP).

If you change your default SMTP banner, don’t think that no one can figure out the version. General vulnerability scanners can often detect the version of your e-mail server. One Linux-based tool called smtpscan determines e-mail server version information based on how the server responds to malformed SMTP requests. The smtpscan tool detected the product and version number of the e-mail server.


Countermeasures against banner attacks

There isn’t a 100 percent secure way of disguising banner information. Take a look at these banner security tips for your SMTP, POP3, and IMAP servers:

  • Change your default banners to cover up the information.

  • Make sure that you’re always running the latest software patches.

  • Harden your server as much as possible by using well-known best practices from such resources as the Center for Internet Security and NIST.