SMTP: Best practices

RFC 5068 recommends not using regular SMTP over port 52 in favor of authenticated SMTP over port 587 (Sender Policy Framework, 2007). Otherwise the server can be used as a mass relay for spam, tying up resources from rejection notices bouncing back and forth and possibly getting the legitimate SMTP server blacklisted as being a source of spam (McKeag, 2004).

SMTP servers can often reveal a lot more about themselves to potential attackers than they should. The HELP command, as well as some SMTP banners, can provide information about what version of server software is running. This facilitates version-specific attacks against the server (McKeag, 2004). The HELP command should be disabled if possible and SMTP banners modified to not divulge such information.

Similarly, the VRFY command can be used to test whether user accounts on an SMTP server exist. Once an attacker receives a positive, they only need to test passwords beyond that point (McKeag, 2004).

The EXPN command normally allows the administrator to expand a mailing list to see what recipients are on it, but the same command can be abused by attackers to verify what addresses currently exist on a system. It should be disabled or restricted to administrators only (McKeag, 2004).

Some degree of DATA validation is called for; if more than 512 characters are sent out in any command other than DATA it should not be parsed as it is most likely a buffer overflow attack (McKeag, 2004).

Leave a Reply