SMTP: Banner Capture Scan Information Leak

This signature detects a connection to an SMTP server followed immediately by a "QUIT" or "BYE" command. Such connections are typically used to determine the hostname, operating system, mail server software, and mail server version of the target. Such information can be used later in more targeted attacks. This reconnaissance technique is known as a "Banner Capture" since it copies the initial server reply banner, which typically provides significant information on the server. This attack object cannot be used to block such scans, however, as the server responds with the sensitive information before the scanner sends the QUIT command. To mitigate additional attacks from this scanner, it is recommended that IP Action feature is used to block the source IP.

Short Name
SMTP:BANNER-CAPTURE
Severity
Warning
Recommended
False
Recommended Action
None
Category
SMTP
Keywords
Banner Capture Information Leak Scan
Release Date
08/07/2008
Supported Platforms

srx-branch-12.3

srx-19.3

srx-branch-19.3

vsrx3bsd-19.2

srx-branch-19.4

vsrx-19.4

mx-12.3

mx-19.4

vmx-19.4

mx-19.3

vsrx3bsd-19.4

srx-19.4

vsrx-12.3

vmx-19.3

vsrx-19.2

srx-12.3

Sigpack Version
3324
False Positive
Unknown

Found a potential security threat?