SMTP VRFY and EXPN

You might be dismayed to learn that the login names of ordinary users can be used to break into a system. It is not, for example, all that unusual for a user to select a password that is simply a copy of his login name, first name, last name, or some combination of initials. A risk of attack can arise from outsiders guessing login names. Any that they find can be used to try to break in, and the SMTP VRFY gives an attacker the means to discover login names.

Login names are also a way to gather addresses for spam email messages. The SMTP VRFY command, too, can be used to collect names for that illicit use.

The SMTP VRFY command causes sendmail to verify that it will accept an address for delivery. If a user’s login name is given, the full name and login name are printed:

vrfy george
250 George Washington <george@wash.dc.gov>

Here, the 250 SMTP reply code (see RFC821) means a successful verification.[66] If the user is unknown, however, sendmail says so:

vrfy foo
550 5.7.1 foo... User unknown

The SMTP EXPN command is similar to the VRFY command, except that in the case of a mailing list, an aliases, or a ~/.forward file entry, it will show all the members. The SMTP EXPN command causes sendmail to expand (show all the recipients) of an address. To illustrate the risk, consider that many sites have aliases that include all or a large segment of users. Such aliases often have easily guessed names, such as all, everyone, or staff. A probe of all, for example, might produce ...

Get sendmail, 4th Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.