Email Pentesting

Email Pentesting

Welcome back guys to another blog in the pentesting series. Today we will explore about email pentesting and various ways to perform a VAPT on them. We will also discuss about various associated protocols and tools involved and at the end give you a checklist to follow while performing a test on email.

How email works:

As we all know emails are mails sent electronically over the internet and different protocols handle sending, fetching and internal sending of email pentesting and every component of email system is vulnerable to some sort of an attack.

Almost everyone in this digital age has atleast 1 email address and its tightly integrated into our lives, we need to have email address to use a smartphone/PC. Email accounts hold a treasure for attacker like confidential/personal data, financial info, identity proofs, credentials, and what not. So, hacking into one is a dream for any attacker.

Common email protocols (all Application layer):

Port Service Details
25/tcp SMTP Simple mail transfer protocol is an email transmission standard for outgoing emails from ones device.
587/tcp ESMTP Extended/Enhanced SMTP is used for inter-server mail transfer or mail submission protocol. It’s a secure one.
465/tcp SSMTP Deprecated and out-of-date used only for legacy purposes. It was used only for sending emails from local devices to mail servers.
109/tcp POP2 Post Office Protocol v2. It relies on smtp to receive mails from remote mailbox server.
110/tcp POP3 Newer and currently used version. It doesn’t require SMTP to receive mails from server to a local email client.
995/tcp POP3S Just POP3 but secure transmission using SSL or TLS.
143/tcp IMAP2 Internet message access protocol allows email clients to access emails stored on mail server.
993/tcp IMAPS IMAP over SSL/TLS

Email Pentest Steps:

Here is a list of to-do things during email pentesting, so stay calm and keep reading.

1. SMTP, POP3, IMAP fingerprinting

Fingerprinting is the 1st step in any testing, so is the case here. Try to gather details like type, port, available options and try simple buffer over exploit.

Use tools like telnet, netcat, nmap, smtpmap, smtpscan for above purposes.

2. Directory harvest attack (DHA)

Its used to find valid email addresses of provided domain, provided they follow some pattern for email addresses using brute force guessing.

This attack uses following 2 methods:

a. using alphanumeric combinations of email address appending with company’s domain.

b. Using combinations of names, initials and last names.

3. Enumerate enabled smtp subsystems and features

Extended HELO (EHLO) is an ESMTP command sent by an email server to identify itself when connecting to another email server to start the process of sending an email. It can target exploitable subsystems and features.

4. Brute-force/crack SMTP, POP3, IMAP password

Tools such as brutus, medusa, thc-hydra can accomplish above mission.

Other methods include phishing, social engineering, hints in “forgot password”.

5. Perform NTLM overflow attack through smtp authentication

6. Test for SMTP open relay

One can perform this using tools like NetScanTools pro and SMTP test tool.

7. Do SMTP, POP3 user enumeration

8. See if you can find any CVEs against a service and try exploiting it

9. Check to see if Anti-phishing, anti-spamming protection are present

Send a mail having link to malicious site and check how server handles it and views to recipient.

Sites like netcraft, phishTank, virustotal are useful including anti-malware softwares.

To check for anti-spamming, see if common spam mails are detected, how effective are its filters. You can easily send mails in bulk/spoofed to test this.

10. Check CLSID extension vulnerability and also do email bombing

Class id (CLSID) is a unique id for app or app components. Try sending mails using clsid file extension instead of standard extension. At receiver, if extension can be run then it has bypassed filtering and email is vulnerable to CLSID extension vulnerability.

Send mails in bulk, check if they’re marked differently or blocked

11. Check common vulnerabilities:

vbs attachment: These scripts can run arbitrary code in windows if mail isn’t configured properly.

double file extension: Eg. Notes.txt.vbs , if this is executed as vbs than it’s a vulnerability.

long file name: Usually attachments with long name (>250 chars) bypass filtering, so test this.

malformed file extension: send an exe file with .exxe and notice how server reacts.

message fragmentation: Fragment your mail is smaller pieces and at receiver, check if they’re merged into one with attachment bypassing filtering.

long subject attachment check:  have a very long subject line and give same name to your attachment, mostly it will slip through mail server defences.

no file attachment: Send an attachment with no name or extension and if its executed at receiver than it’s an issue.

Email security Recommendation:

  • Setup anti-malware programs on endpoints and use anti-spam, anti-phishing services.
  • Have strong passwords with MFA turned ON and proper patch management in place.
  • Train employees to detect and report social engineering and phishing attacks.
  • Create a blacklist of words, Ips, domains commonly associated with spam.
  • Have dedicated softwares to handle email attachments and policies to be followed by employees.
  • Implement and configure IDS/IPS to log, report and stop an attack.
  • Periodically perform audit, VAPT of your organization.


In this article, we learnt about email pentesting security and some good practices to follow including email pentesting basics. Hope you liked it and found it useful, keep following our blogs to read more about such amazing topics.


Vishal Thakur

Network Security Analyst Intern

Table of Contents

Social Media