The idea of creating these malware “packages” of mixed samples in a recipe of percentage ratios is to reflect real world scenarios. It allows us to easily create and provide different packages that relate to different people and different tests.

1. Smtp Mail Test

Because your browser does not support JavaScript you are missing out on on some great image optimizations allowing this page to load faster.

Send us feedback

Microsoft security researchers analyze suspicious files to determine if they are threats, unwanted applications, or normal files. Submit files you think are malware or files that you believe have been incorrectly classified as malware. For more information, read the submission guidelines.

You are signed in with a account, however you have chosen to submit as a . Choose a different option or sign in with a account

Submit file as a

Microsoft Defender Response Portal

Smtp Mail Test

This portal is for internal use by Microsoft employees to report detection concerns to Microsoft Defender Research

Submit a file internally

Submit files so our analysts can check them for malicious characteristics. Provide the specific files that need to be analyzed and as much background information as possible.

Escalate to WD Response

WD Response serves as the primary contact point to our malware analysts. Submit your files through regular channels before contacting WD Response for special requests or submission follow-ups.

Attack Surface Reduction

Report issues with undetected suspicious activities or activities that have been incorrectly detected (false positives).

Network Protection

Report issues with the detection and blocking of URLs and IP addresses.

View your submissions

Track the results of your submissions. You can view detailed detection information of all the files you have submitted as well as the determination provided by our analysts.

Search file hash

Enter a file hash Sha1, Sha256 or Md5 format to view the file details including scan results.

Enter a valid SHA 1/256 or MD5

File with the entered Hash was not found

Specify the file and provide information that will help us to efficiently handle your case.
Required fields are marked with an asterisk (*).

Specify valid email addresses, separating each with a semicolon

Grant other members of your organization access to submission details

Specify the company name

Specify a valid customer email address

Select the number of affected devices

Specify a valid Software Assurance ID

Specify a valid admin email address for SAID

SAID validated. Make high priority submissions only when dealing with active malware or incorrect detections that require immediate attention

Invalid SAID. The specified SAID could not be validated. All submissions are given regular priority

Problems validating SAID. Could not connect to the validation service. Please try again later

Use this option only during emergencies to address active malware

Select the file to submit

The selected file is too large ()

The selected file is empty

Select a date between 30 days and 5 years from now

Select a Microsoft security product

Specify a detection name

Specify additional information

Review your submission

Was this file found in the Microsoft corporate network?

Affected organization

Number of affected devices

Product

Submission priority

File

Removal date

Do you believe this file contains malware?

Detection name

Definition version

Additional information

Unable to upload the file

Use your Microsoft account to track the results of your submissions. You will also be able to link submissions to existing support cases, view past submissions, and rescan files.

Some hacks exploit weaknesses in the Simple Mail Transfer Protocol (SMTP). This e-mail communication protocol was designed for functionality, not security. So, ensuring that you have some level of security will help protect your information.

Account enumeration

A clever way that attackers can verify whether e-mail accounts exist on a server is simply to telnet to the server on port 25 and run the VRFY command. The VRFY command makes a server check whether a specific user ID exists. Spammers often automate this method to perform a directory harvest attack, which is a way of gleaning valid e-mail addresses from a server or domain for hackers to use.

Attacks using account enumeration

Scripting this attack can test thousands of e-mail address combinations.

The SMTP command EXPN might allow attackers to verify what mailing lists exist on a server. You can simply telnet to your e-mail server on port 25 and try EXPN on your system.

Another way to somewhat automate the process is to use the EmailVerify program in TamoSoft’s Essential NetTools.

Yet another way to capture valid e-mail addresses is to use theHarvester to glean addresses via Google and other search engines. You can download BackTrack Linux to burn the ISO image to CD or boot the image directly through VMWare or VirtualBox. In the BackTrack GUI, simply choose Backtrack→Information Gathering→SMTP→Goog Mail Enum and enter ./goog-mail.py –d <your_domain_name> -l 500 –b google.

Countermeasures against account enumeration

If you’re running Exchange, account enumeration won’t be an issue. If you’re not running Exchange, the best solution for preventing this type of e-mail account enumeration depends on whether you need to enable the VRFY and EXPN commands:

• Disable VRFY and EXPN unless you need your remote systems to gather user and mailing list information from your server.

• If you need VRFY and EXPN functionality, check your e-mail server or e-mail firewall documentation for the ability to limit these commands to specific hosts on your network or the Internet.

Ensure that company e-mail addresses are not posted on the web.

Relay

SMTP relay lets users send e-mails through external servers. Open e-mail relays aren’t the problem they used to be, but you still need to check for them. Spammers and hackers can use an e-mail server to send spam or malware through e-mail under the guise of the unsuspecting open-relay owner.

Automatic testing

Here are a couple of easy ways to test your server for SMTP relay:

• Free online tools:www.abuse.net/relay.html

• Windows-based tools:NetScanTools Pro

In NetScanTools Pro, you simply enter values for the SMTP mail server name, Your Sending Domain Name. Inside Test Message Settings, enter the Recipient Email Address and Sender’s Email Address.

When the test is complete, simply click View Relay Test Results.

Manual testing

You can manually test your server for SMTP relay by telnetting to the e-mail server on port 25. Follow these steps:

1. Telnet to your server on port 25.

   You can do this in two ways:

   • Use your favorite graphical telnet application, such as HyperTerminal or SecureCRT.

   • Enter the following command at a Windows or UNIX command prompt:

   You should see the SMTP welcome banner when the connection is made.

2. Enter a command to tell the server, “Hi, I’m connecting from this domain.”

3. Enter a command to tell the server your e-mail address.

4. Enter a command to tell the server who to send the e-mail to.

5. Enter a command to tell the server that the message body is to follow.

6. Enter the following text as the body of the message:

7. End the command with a period on a line by itself.

   The final period marks the end of the message. After you enter this final period, your message will be sent if relaying is allowed.

8. Check for relaying on your server:

   • Look for a message similar to Relay not allowed coming back from the server.

Countermeasures against SMTP relay attacks

You can implement the following countermeasures on your e-mail server to disable or at least control SMTP relaying:

• Disable SMTP relay on your e-mail server. If you don’t know whether you need SMTP relay, you probably don’t. You can enable SMTP relay for specific hosts on the server or within your firewall configuration.

• Enforce authentication if your e-mail server allows it. You might be able to require password authentication on an e-mail address that matches the e-mail server’s domain. Check your e-mail server and client documentation for details on setting this up.

E-mail header disclosures

If your e-mail client and server are configured with typical defaults, a hacker might find critical pieces of information:

• Internal IP address of your e-mail client machine

• Software versions of your client and e-mail server along with their vulnerabilities

• Hostnames that can divulge your network naming conventions

Countermeasures against header disclosures

The best countermeasure to prevent information disclosures in e-mail headers is to configure your e-mail server or e-mail firewall to rewrite your headers, by either changing the information shown or removing it. Check your e-mail server or firewall documentation to see whether this is an option.

If header rewriting is not available, you still might prevent the sending of some critical information, such as server software version numbers and internal IP addresses.

Malware

E-mail systems are regularly attacked by such malware as viruses and worms. Verify that your antivirus software is actually working.

EICAR offers a safe option for checking the effectiveness of your antivirus software.

EICAR is a European-based malware think tank that has worked in conjunction with anti-malware vendors to provide this basic system test. The EICAR test string transmits in the body of an e-mail or as a file attachment so that you can see how your server and workstations respond. You basically access this file on your computer to see whether your antivirus software detects it: