E-mail servers can give a lot of data for hackers and penetration testers. For e-mail to function properly, external traffic must move through your border devices like routers and firewalls, to an internal device, typically somewhere inside your protected networks.
As a result of this, we can usually collect important pieces of data by interacting directly with the e-mail server. One of the first things to do when trying to recon an e-mail server is to send an e-mail to the company with an empty .bat file or an any.exe file like calc.exe. In this example, the idea is to send a message to the target e-mail server inside the company in the hope of having the e-mail server inspect, and then reject the message.
Once the refused message is returned back to us, we can try to extract data from the targeted e-mail server. In many situations, the body of the message will include some info saying that the server does not accept e-mails with probably dangerous extensions. This message usually indicates the particular vendor and version of antivirus that was used to scan the e-mail. As an attacker or a pen tester, this is a big piece of information to obtain.