How to check what IIS user is spamming

November 13, 2012

This is geared towards Windows System Administrators, not end users.

First off we need to figure out how a user sends an email. Lets just say you have enabled the ability to have multiple email related COM components for Classic ASP, and the standard ASP.Net components. You also have PHP, Perl, and Python. Your SMTP server is connected by 127.0.0.1 over port 25 and allows relaying.

So the question then is, how do we associate an anonymous connection to the SMTP server, with so many different ways to send emails? The answer is simple yet complex; create an SMTP Proxy out of your favorite programming language. I won’t go into too much detail but I will give you the ideas behind what I’ve done.

First off the way we run our farm is every user has their own application pool, and that apppool is ran under the users credentials. You would need to have a similar setup to get this working the way I have it working. Otherwise it won’t work.

Next you need to create an application, or find an open sourced application you can modify that will listen on port 25 and take all of the requests, then send them to the local SMTP server over a different port. Since this is windows you should consider making this a service if you have the programming skills to do so.

The process should go something like this:

  1. TCP connection is established between the client and the SMTP proxy.
  2. Get the port of the client. This will not be 25.
  3. Get a listing of TCP connections to Ports and search for the port of the client +1. So if the client port is 50,000, you would look for 50,001. Depending on what you use to get the list of TCP connections, you should have a Local IP:Port, and a Remote IP:Port. Easiest way to figure out which one it is is by searching for the Local IP:Port so for example 127.0.0.1:50001 and the remote port is the SMTP Proxy 127.0.0.1:25. Make sure you use something that contains the Process ID that is making the connection. In Visual Basic or Visual C# if you decided to use that there is a way to Enumerate TCP connections with a Process ID.
  4. Once you have the Process ID you should be able to select the specific Process and collect the Username that spawned the process.
  5. What I do with this information is create a hashtable of some sort to store the username, and a custom structure object that contains the Process ID, Command Executed (w3wp.exe, php-cgi.exe, php.exe, python.exe, perl.exe, etc…), How many emails have been sent along with the number of recipients have been emailed by this specific user.
  6. After you have collected your information you must read and write to the TCP stream. In order to do this properly you will need to know what information to process and what information to send back to the server.

SMTP connection:

  1. You need to let the client know you’ve accepted the request by sending a “220 SMTP server ready” message.
  2. You should get a response back with a “HELO” or “EHLO”, you should respond with “250 OK”.
  3. After that you will get the “MAIL FROM:<email@address.com>”. You should respond back with “250 2.1.0 email@address.com….Sender OK”.
  4. Next you will get a listing of all of the recipients “RCPT TO:<email@address.com>”. You should respond back with “250 2.1.5 email@address.com”. This will repeat as many times as needed to list all of the email addresses this email is sent to.
  5. After you have collected all of your recipients you will get the “DATA” command, respond with “354 Start mail input; end with <CRLF>.<CRLF>”.
  6. The next information received will be the full contents of the message. This will include all headers and the message body. You will know it is done when your message ends with a <CRLF>.<CRLF>. Respond with “250 2.6.0 Queued mail for delivery”.
  7. You should then either get more “MAIL FROM” requests, in which you would repeat steps 3-6, or you would get a “QUIT” command. If you get the “QUIT” command, you should respond with “221 Service closing transmission channel”, and close the TCP connection.
  8. Relay the information to the real SMTP server. In order to relay the information you should respond in the reverse order as the SMTP connections 1-7 listed above. So for example you connect to the real SMTP server and you get the “220 SMTP server ready” message, you respond with HELO or EHLO,

You should be able to figure out the rest without me having to type it all out for you. Using this information you should easily be able to see which of your users are causing problems you can in fact stop them from sending to too many people at a time by rejecting them if they hit a specific RCPT TO count. There are many things you can do including URL blacklist checking as well as many other things. Have fun with it. If you do use information from here it would be nice to hear from you and see how you used it and what you did with it.

 

+1 this post if it helped you!

What happened to mstsc /console?!

September 26, 2012

Yeah I finally figured out that in December of 2007 our good friends at Microsoft changed the Remote Desktop Client (mstsc) and removed /console and replaced it with /admin. Instead of either keeping both, or having an alert stating that /console doesn’t work anymore. Instead it just logs you into any session that is available. If there are two sessions in use, and you try to login to the third “console” session 0, you won’t be able to without using /admin. Just keep that in mind the next time you need to RD to a server.

+1 this post if it helped you!

Creating an Exchange 2010 Certificate the right way.

September 20, 2012

First we need to create the Certificate Request. There are a few ways to do it but I found this to be the easiest.

Method 1 – Manual

  1. Click on Start, Run, type mmc and click OK.
  2. Choose File > Add or Remove Snap-ins
  3. Select Certificates and Click Add >. When prompted choose Computer account and click Next. Keep it on the local computer and click Finish.
  4. Expand Personal > Certificates. Right click on Certificates and choose All Tasks > Advanced Operations > Create Custom Request.
  5. Click Next, then Next again. Choose “(No template) Legacy key” for the template, keep it as PKCS #10. Click Next.
  6. Click on the down arrow next to details, then properties.
  7. Under General enter a name that will identify this certificate, and a description if you want to.
  8. Under Subject choose the type: Common name and enter in what your customers will be going to i.e. mail.domain.com
  9. Because this is Exchange, under the Alternative name: section choose DNS from type. Enter in the FQDN for any of your Client Access servers, to be safe I also include the Edge Transport servers. You can, if you want to, include IP Address for the IP addresses on all of the Client Access servers.
  10. Under Extensions expand the Key usage add in Data encipherment, and Key encipherment. Under Extended Key Usage (application policies) add Server Authentication and Client Authentication.
  11. Under the Private Key tab expand the Cryptographic Service Provider and make sure “Microsoft RSA SChanel Cryptographic Provider (Encryption)”. If you would like to under Key options check “Make private key exportable”. Under Key type choose Exchange, do not leave it on Signature.
  12. Click OK, then click Next. Enter a file name, make sure it is Base 64, then click Finish.
+1 this post if it helped you!