During a black-box penetration test, an attacker runs the following command:nmap -p25 --script smtp-enum-users --script-args...

The CEH Enumeration module explains that SMTP supports commands such as VRFY, EXPN, and RCPT TO, which can be abused to enumerate valid email users if not properly restricted.

In this scenario, the smtp-enum-users Nmap script successfully uses EXPN and RCPT, indicating that the server responds differently to valid and invalid usernames.

Option C is correct because unrestricted SMTP user verification allows attackers to harvest usernames for further attacks such as phishing or brute force.

Option A involves authentication, not enumeration.

Option B affects confidentiality, not user discovery.

Option D is unrelated to SMTP enumeration.

CEH strongly recommends disabling or restricting these SMTP commands.