Signature Detail

SMTP: Banner Capture Scan Information Leak

This signature detects a connection to an SMTP server followed immediately by a "QUIT" or "BYE" command. Such connections are typically used to determine the hostname, operating system, mail server software, and mail server version of the target. Such information can be used later in more targeted attacks. This reconnaissance technique is known as a "Banner Capture" since it copies the initial server reply banner, which typically provides significant information on the server. This attack object cannot be used to block such scans, however, as the server responds with the sensitive information before the scanner sends the QUIT command. To mitigate additional attacks from this scanner, it is recommended that IP Action feature is used to block the source IP.

References

• URL: http://nmap.org/book/vscan.html