During an SMTP enumeration, a penetration tester connects to the mail server on port 25 and issues the commands 'VRFY root', 'EXPN admin', and 'RCPT TO:unknown@domain.com'. The server responds with '252' for VRFY, '250' for EXPN, and '550' for RCPT TO. What does this indicate?
VRFY 252 indicates existence but disabled, EXPN 250 indicates existence, RCPT TO 550 indicates non-existence.
Why this answer
VRFY returns 252 if the user exists but is disabled (or ambiguous), EXPN returns 250 if the mailing list/alias exists, RCPT TO returns 550 if the mailbox does not exist. This allows enumerating valid users on the server.