One way of gathering information from a target is through the use of SMTP. This protocol is designed to send e-mail messages between mail servers, but enables an attacker to enumerate usernames and members of distribution lists.
To verify the existence of an e-mail account on a SMTP server, is by using the VRFY command. The VRFY command is used within the protocol to check wether a specific user exists on the mail server but can also be used by an attacker to locate valid accounts for later use. This command is in some cases disabled.
The RCPT TO command can also be useful in verifying if a particular user exists on the target system.
Another build in SMTP command that might prove useful to an attacker is the EXPN command. This command is similar to the VRFY command, but rather than returning one user, it can return or expand all the users in a specific distribution list. Like the VRFY command, the EXPN command might also be disabled.

A SMTP relay service lets users send e-mails through external servers. Unfortunately this may allow spammers to send mails through a mail server that will alow open mail relay. Another downside is that open mail relay is not only used for spam but also for sending malware, phishing mails and the like.

Finding these issues is a big part of a penetration test. If a SMTP server was used for spamming it will most likely end up being blacklisted and it is quite a hasstle to get whitelisted. The effect of this might put legit messages from this server in the Unwanted Messages folder or in worst case be rejected by the reciept alltogether.