Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
Stupid question, maybe I'm not feeling well right now, but when you send an e-mail message from company.com to client.com, on what port would the mailserver at client.com receive your message?
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
What port is e-mail received on by a mail server?
- Thread starter Cerulean
- Start date
bloodypulp
Gawd
- Joined
- May 17, 2010
- Messages
- 903
default SMTP is port 25
Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
When mail it sent, it comes through port 25. That same message will be received on port 25, yes?
What if clienthax0r.com uses port 23577 (random) instead of 25? clienthax0r.com wouldn't receive the e-mail then, true?
The sending server will use a random port to send from but the receiving port will be tcp 25 or 587. Same as browsing a web page. The computer chooses a random port to send from but all requests are sent to port 80. The server them replies back using a random port back to your original random port. (If you ate using NAT then it'll send to the random port that NAT is using and then in return send it to the client behind the NAT device.
A client like outlook could connect using that port and send through that server, but I don't believe it will receive mail from other servers with a different port other than 25 or 587.
Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
This is from the Cisco firewall syslog. Would I be correct to say that 172.54.12.209 is directly sending an e-mail message (or at least something to destination port 25) for each row to 94.167.100.20 and 172.54.12.209?
If 172.54.12.209 were a Windows 8 VDI with Office 2013 suite, and had Outlook 2013 configured with a POP3 e-mail account with an outgoing and incoming server of mail.company.com (which comes out to the fictional IP address of 1.2.3.4), if you sent an e-mail to [email protected] (fictional mail server IP of 4.3.2.1) would your e-mail be going to destination IP 1.2.3.4 on port 25 from source IP 172.54.12.209, and then from 1.2.3.4 (as a separate row or entry in the syslog) to 4.3.2.1?
(The IP addresses in this post are fictional / have been changed from original IP addresses)
Yes those are outgoing packets from that host to the two servers.
Is 1.2.3.4 an internal server behind the Cisco? If it's outside it would look like 172.54.12.209(543675) to 1.2.3.4. The mail has to go to 1.2.3.4 from the client to the server and then the server will send to the server on the dickensons.com mx records, in this case 4.3.2.1.
Is 1.2.3.4 an internal server behind the Cisco? If it's outside it would look like 172.54.12.209(543675) to 1.2.3.4. The mail has to go to 1.2.3.4 from the client to the server and then the server will send to the server on the dickensons.com mx records, in this case 4.3.2.1.
Red Squirrel
[H]F Junkie
- Joined
- Nov 29, 2009
- Messages
- 9,211
From what I understand it SMTP basically has two jobs.
1: relay mail from a user who's account is on that server (logically). Ex: I am sending an email from my @example.com account and I connect to the example.com SMTP server in order to do that. Though I can also connect to some completely other SMTP server that I am authorized to use (ex: ISP).
2: Receiving mail from other SMTP servers. So the example.com SMTP server will see that I am sending mail to [email protected], so it will do a MX lookup to see what the mail server for destination.com is, and see that it is mail.destination.com, it will then connect to port 25 of that IP address and then communicate the email to that server to be dropped in the mailbox.
At least that's how I think it works, anyway.
So long story short I don't think you can change the default port unless the SMTP server is strictly made to send outbound mail. .
1: relay mail from a user who's account is on that server (logically). Ex: I am sending an email from my @example.com account and I connect to the example.com SMTP server in order to do that. Though I can also connect to some completely other SMTP server that I am authorized to use (ex: ISP).
2: Receiving mail from other SMTP servers. So the example.com SMTP server will see that I am sending mail to [email protected], so it will do a MX lookup to see what the mail server for destination.com is, and see that it is mail.destination.com, it will then connect to port 25 of that IP address and then communicate the email to that server to be dropped in the mailbox.
At least that's how I think it works, anyway.
So long story short I don't think you can change the default port unless the SMTP server is strictly made to send outbound mail. .
Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
1.2.3.4 is a "dedicated server" at some local DC. It's not joined to the domain, there are no other servers on the same private LAN; just think of it like going to SoftLayer/ThePlanet/Rackspace and paying for a $120/mo dedi. (We do have physical access to the box though, and it is our equipment.)
well...
What if you create a firewall rule to block all outgoing traffic on TCP 25 but allow traffic to your mail servers IP? That should stop any spambot (assuming its not using your own mail server). Check your firewall logs to see if there's a host that keeps getting logged on that ACL. That should give you your spammer. I'm assuming this has to do with your previous thread.
Cerulean
[H]F Junkie
- Joined
- Jul 27, 2006
- Messages
- 9,476
Yes, it does. During the work day, the rate can go up to 1 syslog entry per second. I've been tasked to investigate this today, using Splunk, and I appreciate the confirmation from you guys for my sanity.
From the last 24 hours, there were 31000 syslog entries where VDIs are sending e-mail directly. One thing I tested was installing hMailServer (http://www.hmailserver.com/) on to my own dedicated VDI, then from my work laptop I telnet'd to that running mail server service, and was successful in sending e-mail to my personal e-mail address from my dedicated VDI via telnet'ing from my work laptop.
For one, yes, we need to put in an ACL to only allow traffic to our old IceWarp e-mail server. Everything else should be denied. Our Exchange server is not on the DMZ, and not being used for live production yet, so it's okay to leave that out of the ACL for the reason of not being used and also that stuff goes directly to that server before getting to the firewall (different rules apply unless the Exchange server is infected LOL).
EDIT: Notes to self
http://www.2-spyware.com/remove-cutwail.html
http://www.2-spyware.com/news/post203.html
http://www.mxtoolbox.com/Public/BlacklistDetails.aspx?bl=CBL&ip=1.2.3.4&page=BLD&upgrade=BLD&SO=MMM (modified URL to have 1.2.3.4 instead of real IP)
http://cbl.abuseat.org/lookup.cgi?ip=1.2.3.4 (modified URL again)
http://www.ehow.com/how_8270333_remove-cutwail-spambot.html
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32/Cutwail
According to to cbl.abuseat.org, it is the Cutwail spambot botnet. The traffic died 10 minutes prior to 5 PM. I've taken one VDI for example purposes, figured out who was logged in during the last bit of SPAM, reset their password, and logged into the same VDI they were logged into via vSphere Console. I checked out the registry locations and did searches for files as identified by Microsoft and the other websites above, but I had zero success in finding anything. I'm going to have to monitor Splunk, catch this in the act, and either in-person or remotely shadow a user's session and figure out what's going on in their VDI. This particular user's VDI (which is part of a shared pool, so user gets random VDI each time), I scanned with MalwareBytes but the only thing it picked up was this:
There's probably a GPO that sets that.. I haven't kept myself up-to-date with all the GPO updates and additions that have been done in the past 2 months.
All the VMs for VDIs get blown away once a week (over the weekend) and start with a fresh reload of their image. With the latest VMware View [Horizon?] update, there's also been some profile issues fixed, so I believe now when a user logs off a VDI anything from the user gets cleaned off the VDI (which appears to be true and happens).
EDIT: ACL should be in place soon. /viking helmet
Last edited:
Answer to OQ is 25 under and and all circumstances unless you're using a relay/gateway service that secretly throws it to your non-25 server.
It's simple tcp traffic. If you need to nuke it, nuke it.
There are also gigatons of SMTP tweaks that you can implement on Exchange or *pick your flavor* to keep the spammers out.
It's simple tcp traffic. If you need to nuke it, nuke it.
There are also gigatons of SMTP tweaks that you can implement on Exchange or *pick your flavor* to keep the spammers out.