SMTP servers and DNS

Have you ever noticed that when you send a HELO <hostname> command to a SMTP server, and you just type random characters for the host name it takes quite some time for the SMTP server to respond? The reason for this is that some mail servers  actually perform a dns lookup of the name you specified. It gets even better, I’ve found mail servers that also do this for internal host-names…

So, I decided to make a little host-name scanner:

from socket import *

def checkhost(hostname, sck):
   try:
      data=sck.recv(1024)
      cmd_helo= 'helo ' + hostname +'\r\n'
      cmd_rset= 'rset\r\n'
      sck.settimeout(1)
      sck.send(cmd_helo.encode('utf-8'))
      data=sck.recv(1024)
      if data:
         print(hostname)
      sck.send(cmd_rset.encode('utf-8'))
   except: return 0

#end def

s = socket(AF_INET, SOCK_STREAM)
s.connect(("name of mailserver here",25))
s.settimeout(5)
data=s.recv(1)

#scan
hosts = open('D:\Own_development\Python\SIDScan.lst').read()
hosts.replace('\r','\n')
hosts.replace('\n\n','\n')
for lohost in hosts.split('\n'):
   checkhost(lohost,s)

#end for

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: