1

I run a small server hosting sites for around 100 unique clients. I've had issues with my legitimate mail server showing up on DNS Blacklists, so I need to find out if one of my many clients has a bad script somewhere sending junk through my SMTP Virtual Server in IIS6.

I have email sending out correctly, I have relaying set to only allow for 127.0.0.1, so I know that someone somewhere on this box is allowing bad mail through the service. I've enabled all logging on the SMTP service, but it doesn't give me any clue as to which script (most likely a Classic ASP VBScript application) is the culprit.

Dan Short
  • 180
  • 7
  • I'm using SmarterMail as my proper mail server, and I don't have access to cPanel :/. Definitely a sticky situation, since many of the apps o this server are years old, and haven't been touched in ages. If I touch something server-wide now, I'm likely to break all of the apps... – Dan Short Sep 28 '11 at 19:34

3 Answers3

3

With IIS6 and the built in SMTP server, I think you're going to be out of luck. The built in SMTP server is pretty limited in its functionality. Outside of writing some kind of plugin (which you can do) or buying a plugin that can implement scanning and logging of the SMTP message envelopes, you're not going to get much more information that what you have now.

As mentioned by jdw in his comment; I have used exim in the past for this specific purpose, and I find the linux based MTA's much more flexible and powerful for this kind of thing. But that doesn't help you if all you have is an IIS box.

Coding Gorilla
  • 1,938
  • 12
  • 10
2

Since classic ASP is plain text you could do a text search across the server for common ASP commands for sending mail such as 

CreateObject("CDO.Message")

From there you should be able to see how the script is setting up the 'from' address. I'd say that any scripts that have a dynamic FROM value or alternatively if you have known junk consistently from the same email address just search for that email address.

Going forward I'd strongly recommend only using authenticated SMTP.

Joel Mansford
  • 985
  • 1
  • 5
  • 13
  • Absolutely on the authenticated SMTP. That's my end goal here. I just started searching for the "CDO" string before I saw your answer, but I think that may be my only way to make this happen. Will mark this as the accepted answer if it does indeed do the trick. Thanks. – Dan Short Sep 28 '11 at 19:38
1

This is strictly theoretical but I read an article on a similar situation a while ago. You should be able to use a Wireshark type product configured on the loopback address to get a packet capture containing all the references to your default SMTP connector. Might be worth looking into.

http://wiki.wireshark.org/CaptureSetup/Loopback

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115