RE: NT4+IIS4 = spam problem?

From: Matthew.van.Eerde@hbinc.com
Date: 09/13/01


Message-ID: <A9F857A45F1DD511AB010002B321B505013F14B3@dns1.hbinc.com>
From: Matthew.van.Eerde@hbinc.com
To: STulchinskiy@aspensys.com, wanker@vyrus.net, ken@intangible.net
Subject: RE: NT4+IIS4 = spam problem?
Date: Thu, 13 Sep 2001 13:22:04 -0700

You could tell the firewall to block *outbound* requests on port 25 from
this server (that is, connections from this server to a remote port 25)

-----Original Message-----
From: Tulchinskiy, Sasha [mailto:STulchinskiy@aspensys.com]
Sent: Thursday, September 13, 2001 11:38
To: 'wanker'; Ken Seitz
Cc: focus-ms@securityfocus.com
Subject: RE: NT4+IIS4 = spam problem?

wanker,

Look at "X-Mailer: Smartcode ObjectSet 1.0"
You might have this component used by one of your clients/developers.
----------------------------------------------------------------------------
Name: ObjectSet MAIL SDK
Product: OO SDK
Platforms: Win32, Win16, MacOS, Java
Contact: info@smartcodesoft.com
Phone: (847) 945 3516
Where: http://www.smartcodesoft.com and http://www.smartcode.fr
Pricing: $395-$495
Author: Smartcode Software Inc
Comments:

    [ Olivier Meirhaeghe <olivier.meirhaeghe@smartcodesoft.com> 6-Nov-96 ]

    ObjectSet MAIL SDK is a MIME/SMTP/POP3 SDK. It encapsulates these
    three protocols in an EZ OO API. ObjectSet supports MIME1.0. The
    MailMessage (MIME) Objects handles construction and parsing of MIME
    compliant messages, encoding of Bodyparts. It is aimed towards
    developers who want to easily integrate Mail into their applications,
    or use Mail as the transport layer for their development. Integrates
    with MFC (windows),CodeWarrior/Powerplant,MacApp (Apple). DLLs, OCX ,
    ActiveX and Java to come. Unix: Ask us.
    
    Further Details, Demo MUA and MIME Explorer, Sample Application source
    Code, and a demo version of the Libraries with complete documentation
    can be found on our web site, at http://www.smartcodesoft.com/
--------------------------------------------------------------------------

Unfortunately neither of links work but you can check registry for the
component,
get its name and search the source code of your dynamic pages looking for
it.

Sasha.

-----Original Message-----
From: wanker [mailto:wanker@vyrus.net]
Sent: Thursday, September 13, 2001 1:15 PM
To: Ken Seitz
Cc: focus-ms@securityfocus.com
Subject: RE: NT4+IIS4 = spam problem?

Thanks:

Received: by mail2.netacc.net (mbox x) (with Cubic Circle's cucipop
(v1.31 1998/05/13) Sun Sep 2 14:04:30 2001) X-From_: j.bryan@znx33fh.com
Sun Sep 2 11:31:57 2001 Return-Path: <j.bryan@znx33fh.com>
Received: from titanpdc.titansteel.com (mail.titansteel.com
[151.196.180.2]) by mail1.netacc.net (8.10.2/8.10.2) with ESMTP id
f82FVu035119; Sun, 2 Sep 2001 11:31:56 -0400 (EDT) Received: from
localhost (host.onmynetwork.com [xxx.xxx.xxx.xxx]) by
titanpdc.titansteel.com with SMTP (Microsoft Exchange Internet Mail
Service Version 5.5.2653.13) id RND6DNWM; Sun, 2 Sep 2001 11:23:25 -0400
MIME-Version: 1.0 X-Mailer: Smartcode ObjectSet 1.0
From: <j.bryan@znx33fh.com> Subject: Summer Software Special Date: Sun,
02 Sep 2001 08:41:21 To: x
Content-Type: multipart/mixed;
boundary="=PMail:=_29fd@@MEyp9L8Z2e0yti76otQ" Content-Transfer-Encoding:
8bit
Message-ID: <200102090841210.0k6jgit@tyz2wodzercik7j>

On Thu, 13 Sep 2001, Ken Seitz wrote:

> Can you post a copy of the e-mail headers? It is difficult to diagnose
> without the full picture...
>
> Regards,
> Ken Seitz
> ken@intangible.net
>
> -----Original Message-----
> From: wanker [mailto:wanker@vyrus.net]
> Sent: Wednesday, September 12, 2001 8:55 PM
> To: focus-ms@securityfocus.com
> Subject: NT4+IIS4 = spam problem?
>
>
> Greetings,
>
> I would like to ask the assistance of anyone on the list that can assist
> me in solving an issue regarding spam eminating from a NT+IIS4
> server on my network. Please let me know if this question should be
> directed to a different list.
>
> Details:
>
> NT4 server running IIS4.
> All pertinent patches applied.
> Approx 60 virtual hosts running on the server.
> port 25 blocked to the host IP at the router.
>
> Issue:
>
> Spam originating from this server. Headers indicate the spam originates
> from the server IP (not any of the virtual hosts).
>
> I have scanned the vhosts on the server for any cgi's that might allow
> relay (ie..formmail) and have not found anything. I have checked the log
> files/event viewer and have not found any definitive corresponding
> evidence regarding the origin of the spam (other than the starting and
> stopping of the smtp services) I am more than likely missing something
> very easy to spot but am drawing a blank.
>
> Any suggestions on tracking this issue down? (all suggestions welcome,
> no
> matter how simple they may seem ;^)
>
> Thanks in advance.
>
> - wanker
>
>



Relevant Pages