I have a situation where a 2008 server with IIS7 has been application level compromised and is sending spam from port 25. We have ran a virus scan and removed the infected files yet the spam is still being sent.
We know the spam is coming from a local file as the firewall has port 25 blocked inbound and the SMTP log is showing all requests appearing from the local server. We have ran a LogParser scan of the sites (which there are many) for any POST data to files on the server but the results all look genuine. The PID sending the data on port 25 is simply inetinfo.exe so this isn't much use either.
I would like to identify what file is sending this e-mail, can anyone think of a way to do this?
Have you shut down the smtp server under properties for local outbound? meaning 127. etc...? also, have you looked in the que folder under inetpub to see if the offending message is in there? In some cases a file can change the remote server on smtp in IIS to send via aproxy or some other service so it would ignore your scans.
in addition, not all mail has to use port 25 to send emails. it can hit any port if the creator tells it to.
Related
I have a .Net service hosted on IIS. The service was accessible from IP:Port/Service.asmx, until recently when I couldn't access it from IP or System name again but only from Localhost:port/Service.asmx. I have pinged the server and it is replying. I have also confirmed that the local ip is listening on port 80. Really I don't know what is wrong, I have been on this for so long.
That's a hard one. Things I'd try:
Rebooting system.
Set a breakpoint at the earliest part of the request pipeline to verify whether the request is making it into your .Net code
Make a browser request via IP for a static file like an image. Is that served? That lets you see if the server will respond for a request that likely isn't going through Asp.Net.
I have configured postfix over SSL and dovecot over SSL and it work fine if I send local relay , and it delivers to mailboxes within my domain name MX record point mail server.
mysysopmnds.com MX 10 mail.mysysopminds.com
However if I send an email to another domain , it bounces... and one of the error in the log is , as below
Jan 10 19:34:56 mail postfix/smtp[5334]: 37FADC28BB: to=, relay=none, delay=34, delays=34/0/0.01/0, dsn=5.4.6, status=bounced (mail for murugeshdomain.com loops back to myself)
what are key configuration that I should check or take care of to send email to other domains or any domains
TIA
hariharan
The is a good chance your internet serivice provider (ISP) is blocking out port 25 for outgoing email. I can tell you, mine is. This is also when i got the bounce message.
You can confirm this problem by typing:
telnet aspmx.l.google.com 25
If it does not generate Connected to aspmx.l.google.com but a timeout after half a minute or so than your ISP is blocking your outgoing traffic on port 25.
If this is the case you can solve it by redirecting your outgoing mail through for example a google mail account. You could use this link as guide to set the up the redirection.
It looks like this domain (murugeshdomain.com) has no MX record. For sending mails to another domain just take look in that domain has MX record. To check whether that domain has MX record dig MX domainname(in the case of linux command)
my application needs to send out emails to its users, but somehow I can't make it work. I have installed the SMTP server and in IIS I have set SMTP to use localhost, with port 25 without authentication. But when I try to send email, I am allways getting error
No connection could be made because the target machine actively refused it 127.0.0.1:25
When I choose the option to store email in directory, it works fine, so the problem isn't in my app. Why does this happen? The only thing I am thinking about, is if I need to have port 25 opened or not?
This would happen if you don't have an SMTP server listening on port 25.
I have a section of code that sends email from SMTP server.
The code is carried out webservice & smtp server value is picked up from web.config, while the code hosted on server1 works (send/receive emails), whereas the same code hosted in server2 doesn't send/receive email.
Can you tell your thoughts?
Thanks
This really belongs on ServerFault.com, and there isn't enough information to give you a definitive answer, but I can give you my thoughts on it (as asked).
Most likely, if the SMTP server is a different server than the one your app is hosted on, then probably there is some configuration that needs to be done on the SMTP server. Usually, the SMTP server needs to grant pass-through permissions on a per-user and/or per-server basis. So, most likely your situation is that the SMTP server has an "Allow pass-through" list that includes the server where your code works, and does not include the server where the email is NOT sent.
At least, this is usually the problem in our network...
If the SMTP server is on the same server as your app, of course, you'd want to check to ensure that SMTP is installed on both servers with the same configuration.
If this fails, look for errors... In your app code, or in the event log.. .If my guesses are wrong, you're going to need more info to go on.
Finally, here is a good resource for a coder, not necessarily for an Admin, but it may have info that will help you. http://systemnetmail.com/
first thing to check is the windows firewall and if there is an antivirus or third party firewall installed on the machine.
also check the event log for some useful information about the details of the error.
For some reason when I try to use get or put from a Solaris box to an IBM mainframe, the ftp client appears to hang.
I've tried all sorts of different variations (for example, including using quotes and not), and all I ever get is a "200 Port Request OK". But I never get the prompt back, and eventually the connection breaks.
ftp> open ibm.some_server
Connected to ibm.some_server
230 USER1 is logged on. Working directory is "USER1.".
Remote system type is MVS.
ftp> cd 'Z.TABS.'
250 "Z.TABS." is the working directory name prefix.
ftp> get 'SAMASCPY' samas.txt
200 Port request OK.
Anyone know what could be going on?
You need to enable passive mode. With Solaris 10's ftp:
ftp> passive
Passive mode on.
The FTP protocol as originally defined makes the server open a connection back to the client when a file transfer is initiated. That's what the PORT command in your question shows -- the client requested that the server connect back to its address on a specific port number. These days, with ubiquitous firewalls & NAT traversals, that rarely works.
Enabling passive mode tells the client to connect directly to the server, and fixes this issue. Most ftp clients now use passive mode by default; Solaris' does not.