0

I am looking for a way to find the source of spam on one of my webservers, attached to Parallels Plesk Automation 11.5. The server currently runs Windows 2008 r2 & IIS7.

The mail queue keeps growing and as one would guess, blocking the IP's is not a long term solution.

On Linux one could easily tail the maillog and obtain more information. In Windows however, it is not that easy.

I could not find anything in the event viewer. In the smtp logs I only found IP's and nothing more.

How can I find out which website is triggering the spam?

Header example
C:\inetpub\mailroot\Queue

Received: from WEBSRV ([127.0.0.1]) by WEBSRV with Microsoft SMTPSVC(7.5.7601.17514);  
     Wed, 29 Apr 2015 15:04:53 +0200  
Date: Wed, 29 Apr 2015 13:04:53 +0000
Subject: Prezado(a) Cliente, Alerta Itaú 29/04/2015  
To: adilson.felipe@copebras.com.br  
MIME-Version: 1.0  
Content-type: text/html; charset=iso-8859-1  
X-Mailer: Microsoft Office Outlook, Build 17.551210  
From: adilson.felipe@copebras.com.br  
Return-Path: postmaster@WEBSRV  
Message-ID: SRVm8Kx7M6xyAE0Q20008eb98@WEBSRV   
X-OriginalArrivalTime: 29 Apr 2015 13:04:53.0897 (UTC) FILETIME=[159E6790:01D0827D]

Log example
C:\Windows\System32\LogFiles\SMTPSVC1

2015-04-29 13:00:00 187.92.46.51 OutboundConnectionResponse SMTPSVC1 SRV - 25 - - 250+OK 0 0 6 0 4696 SMTP - - - -  
2015-04-29 13:00:00 187.92.46.51 OutboundConnectionCommand SMTPSVC1 SRV - 25 RCPT - TO:<edison.toledo@ceramicaportoferreira.com.br> 0 0 4 0 4711 SMTP - - - -
2015-04-29 13:00:00 186.202.4.42 OutboundConnectionResponse SMTPSVC1 SRV - 25 - - 504+5.5.2+<SRV>:+Helo+command+rejected:+need+fully-qualified+hostname 0 0 70 0 1217 SMTP - - - -
alphamikevictor
  • 1,062
  • 6
  • 19
Rudolph
  • 191
  • 1
  • 1
  • 10

1 Answers1

2

I've battled with a couple of these (or similar) scenarios on servers with hundreds of applications, and found the easiest way to narrow/track them down was using Sysinternals Process Monitor:

  1. Find the smoking gun:

    • Open Process Monitor and have it show only Network Activity enter image description here
    • Filter for process name w3wp.exe (if running .NET or ASP applications)
    • If you run php or perl applications using CGI, you might want to look for perl.exe or php_xyx.exe or whatever name the executable has instead
    • Filter for TCP activity where the Path contains 127.0.0.1 and :25 (indicating local SMTP connections)
    • Take note of the Process ID of the w3wp.exe process making these calls

  2. Correlate with running applications

    • Go to the IIS Management Console, select the top node in the tree pane on the left (the server name)
    • Choose the "Worker Processes" feature from the center pane enter image description here
    • Correlate the PID with the Application Pool
    • Right-click the App Pool in question to see what applications it serve

  3. Check the logs

    • Now all you have to do is check the IIS logs of the Sites hosting the applications in question
    • From experience, those will probably be POST requests

If you're running CGI applications, you can use Process Explorer to find the parent process of the offending application

Mathias R. Jessen
  • 25,161
  • 4
  • 63
  • 95