# SMTP

Check if sender could be [forged](https://en.wikipedia.org/wiki/Callback_verification) with an domain user:

```
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <forged@example.com>
RCPT TO: <exists@example.com>
RCPT TO: <exists@gmail.com>
```

Check if sender could be forged with a non-domain user:

```
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <forged@gmail.com>
RCPT TO: <exists@example.com>
RCPT TO: <exists@gmail.com>
```

Check if domain users could be enumerated with `VRFY` and `EXPN`:

```
$ telnet mail.example.com 25
HELO example.com
VRFY exists@example.com
EXPN exists@example.com
```

Check if users could be enumerated with `RCPT TO`:

```
$ telnet mail.example.com 25
HELO example.com
MAIL FROM: <...>
RCPT TO: <exists@example.com>
DATA
From: <...>
To: <exists@example.com>
Subject: Job offer
Hello, I would like to offer you a great job!
.
QUIT
```

## RCPT

### smtp-enum

* <https://github.com/z0mbiehunt3r/smtp-enum>

```
$ ./main.py -d megacorp.com -s 10.10.13.37 -f accounts.txt -m rcptto -o valid.txt
```

### smtp-user-enum

* <https://github.com/pentestmonkey/smtp-user-enum>

```
$ smtp-user-enum -M RCPT -f '<root@megacorp.local>' -u '<j.doe@megacorp.com>' -t mx.megacorp.com
$ smtp-user-enum -M RCPT -D megacorp.com -U users.txt -t mx.megacorp.com
```

## SPF/DKIM/DMARC

* <https://postmarkapp.com/guides/spf>
* <https://www.mailigen.ru/blog/chto-takoe-spf-dkim-i-dmarc-i-pochemu-oni-obyazatelno-dolzhny-byt-propisany/>
* <https://github.com/BishopFox/spoofcheck>

## Tools

### swaks

* <https://github.com/jetmore/swaks>

```
$ swaks --to j.doe@megacorp.com --from snovvcrash@megacorp.com --header 'Subject: Hello, friend' --body 'Hack the Planet!' --server 192.168.1.11 --attach hello.doc
```