What are these messages about rejected EXPN and VRFY attempts?
The “expand” and “verify commands will expand mailing lists or verify user names (respectively). If you do the command “VRFY root”, you might be able to find out the postmaster’s e-mail address. This is good reconnaissance technique. By doing a “VRFY decode” or “VRFY uudecode”, you might be able to find out some security holes in the system related to these subsystems. Other commonly scanned user names are “bbs”, “lp”, “demo”, “guest”, and “debug”. Some systems have buffer overflows in this command, either in the command itself or in the logging system behind the command. You might see entries for very long strings like “xxxxxxxxxxxxxxxxxxxxxxxx”. If you see a bunch of these in a row, you are probably being scanned by a vulnerability scanner (ISS/CyberCop/Nessus). They will generate a bunch of other junk in your logs as well.
Related Questions
- I keep seeing: Sep 11 06:18:26 pluto.example.com sendmail[2665]: NOQUEUE: pluto.example.com [10.0.0.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA in my sendmail log. What is this?
- What are these messages about rejected EXPN and VRFY attempts?
- How do I delete all messages in RoundCube Webmail client?
