[Owasp-delhi] MAIL SERVER TESTING

Soi, Dhruv dhruv.soi at torridnetworks.com
Wed Dec 16 07:03:55 EST 2009


Open relay is when server allows to send emails to external domains using
any email address. Mail Spoofing is when you send emails as abc at domain.com
to abc at domain.com or xyz at domain.com (target). But when you try sending to
abc at yahoo.com (external) it would say "Relay Access Denied" which means open
relay is blocked but "logged in" status is not being checked. You may refer
to "POP before SMTP" mitigation and there are other techniques as well.

 

Many Thanks,

Dhruv

 

From: Suryavanshi, Rajesh [mailto:rajesh_suryavanshi at uhc.com] 
Sent: Wednesday, December 16, 2009 5:03 PM
To: dhruv.soi at torridnetworks.com
Cc: owasp-delhi at lists.owasp.org; Parmendra Sharma
Subject: RE: [Owasp-delhi] MAIL SERVER TESTING

 

 Hi All,

 

I need to have one clarification here regarding open relay, mail spoofing;
Is it possible to perform mail spoofing if open relay is blocked on a mail
server.

 

 

 

Rgds.

 

Raj

 

  _____  

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma
Sent: Wednesday, December 16, 2009 4:45 PM
To: dhruv.soi at torridnetworks.com
Cc: owasp-delhi at lists.owasp.org
Subject: Re: [Owasp-delhi] MAIL SERVER TESTING

Hi,

 

Thanks for the comments.

 

but what i was asking is there any specific "methodology/Guideline/How to"
to test such issues.

On Wed, Dec 16, 2009 at 4:35 PM, Soi, Dhruv <dhruv.soi at torridnetworks.com>
wrote:

Apart from standard assessment of mail server to check for vulnerabilities
in the SMTP/POP3/IMAP/OS software there are few mail server specific test
like open relay, mail spoofing, usage of plain text protocols, user
harvesting VRFY (SMTP command), Brute Force Prevention to POP3/SMTP/webmail,
Malware Evasion, SPAM Tests, Information Leakage in bounced messages,
webmail security, password policies etc.

 

Hope Helpful.

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Parmendra Sharma
Sent: Wednesday, December 16, 2009 4:24 PM
To: owasp-delhi at lists.owasp.org
Subject: [Owasp-delhi] MAIL SERVER TESTING

 

Hello All,

 

Can anyone share details (How to perform vapt, any guideline, any
methodology) regarding the vulnerability asssessment and pen test process
for a MAIL SERVER.

-- 
Thanks and Regards:

Parmendra Sharma
Computer Security Analyst




-- 
Thanks and Regards:

Parmendra Sharma
Computer Security Analyst

 
This e-mail, including attachments, may include confidential and/or
proprietary information, and may be used only by the person or entity
to which it is addressed. If the reader of this e-mail is not the intended
recipient or his or her authorized agent, the reader is hereby notified
that any dissemination, distribution or copying of this e-mail is
prohibited. If you have received this e-mail in error, please notify the
sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091216/e8fb9eff/attachment-0001.html 


More information about the Owasp-delhi mailing list