How to check what IIS user is spamming

November 13, 2012

This is geared towards Windows System Administrators, not end users.

First off we need to figure out how a user sends an email. Lets just say you have enabled the ability to have multiple email related COM components for Classic ASP, and the standard ASP.Net components. You also have PHP, Perl, and Python. Your SMTP server is connected by over port 25 and allows relaying.

So the question then is, how do we associate an anonymous connection to the SMTP server, with so many different ways to send emails? The answer is simple yet complex; create an SMTP Proxy out of your favorite programming language. I won’t go into too much detail but I will give you the ideas behind what I’ve done.

First off the way we run our farm is every user has their own application pool, and that apppool is ran under the users credentials. You would need to have a similar setup to get this working the way I have it working. Otherwise it won’t work.

Next you need to create an application, or find an open sourced application you can modify that will listen on port 25 and take all of the requests, then send them to the local SMTP server over a different port. Since this is windows you should consider making this a service if you have the programming skills to do so.

The process should go something like this:

  1. TCP connection is established between the client and the SMTP proxy.
  2. Get the port of the client. This will not be 25.
  3. Get a listing of TCP connections to Ports and search for the port of the client +1. So if the client port is 50,000, you would look for 50,001. Depending on what you use to get the list of TCP connections, you should have a Local IP:Port, and a Remote IP:Port. Easiest way to figure out which one it is is by searching for the Local IP:Port so for example and the remote port is the SMTP Proxy Make sure you use something that contains the Process ID that is making the connection. In Visual Basic or Visual C# if you decided to use that there is a way to Enumerate TCP connections with a Process ID.
  4. Once you have the Process ID you should be able to select the specific Process and collect the Username that spawned the process.
  5. What I do with this information is create a hashtable of some sort to store the username, and a custom structure object that contains the Process ID, Command Executed (w3wp.exe, php-cgi.exe, php.exe, python.exe, perl.exe, etc…), How many emails have been sent along with the number of recipients have been emailed by this specific user.
  6. After you have collected your information you must read and write to the TCP stream. In order to do this properly you will need to know what information to process and what information to send back to the server.

SMTP connection:

  1. You need to let the client know you’ve accepted the request by sending a “220 SMTP server ready” message.
  2. You should get a response back with a “HELO” or “EHLO”, you should respond with “250 OK”.
  3. After that you will get the “MAIL FROM:<>”. You should respond back with “250 2.1.0….Sender OK”.
  4. Next you will get a listing of all of the recipients “RCPT TO:<>”. You should respond back with “250 2.1.5”. This will repeat as many times as needed to list all of the email addresses this email is sent to.
  5. After you have collected all of your recipients you will get the “DATA” command, respond with “354 Start mail input; end with <CRLF>.<CRLF>”.
  6. The next information received will be the full contents of the message. This will include all headers and the message body. You will know it is done when your message ends with a <CRLF>.<CRLF>. Respond with “250 2.6.0 Queued mail for delivery”.
  7. You should then either get more “MAIL FROM” requests, in which you would repeat steps 3-6, or you would get a “QUIT” command. If you get the “QUIT” command, you should respond with “221 Service closing transmission channel”, and close the TCP connection.
  8. Relay the information to the real SMTP server. In order to relay the information you should respond in the reverse order as the SMTP connections 1-7 listed above. So for example you connect to the real SMTP server and you get the “220 SMTP server ready” message, you respond with HELO or EHLO,

You should be able to figure out the rest without me having to type it all out for you. Using this information you should easily be able to see which of your users are causing problems you can in fact stop them from sending to too many people at a time by rejecting them if they hit a specific RCPT TO count. There are many things you can do including URL blacklist checking as well as many other things. Have fun with it. If you do use information from here it would be nice to hear from you and see how you used it and what you did with it.


+1 this post if it helped you!

Leave a Reply