I need some assistance with these type of scanners, there seem to be many of them on the web but I can't seem to find specific details of what they are meant to achieve.
I understand that they are communicating on the SMTP port, but I am not certain of what type of information they are trying to get.
The reason I ask this is because I am currently investigating a SMTP VRFY Scanner. I have made the scanner to connect to a windows xp system but it states
Waiting for SMTP banner
220 testing221 Microsoft ESMTP MAIL Service, Version: 6.0.2600.2180 ready at Sun, 27 Sep 2015 19:04:44 +0100
testing221 corresponds to the domain on the SMTP virtual server, on the xp system.
The SMTP VRFY command is intended to allow a sender to verify the correctness of an email address without actually sending an email.
This feature was abused by spammers very early on. As a result, most SMTP servers are configured to ignore the command.
They are effectively useless for the public internet these days. You will find very few, if any, domains configured to support the command.
Related
I am researching on finding the exact entry in the IIS logs when user logs in to on-prem exchange using OWA/Active Sync/Outlook client for monitoring purpose.
Can somebody help OR point me to the right source to get this information?
For example, for OWA, should I be looking for /owa in the URI but what else I should be looking to get the successful login entry?
#Software: Microsoft Internet Information Services 8.5
#Version: 1.0
#Date: 2018-10-24 00:19:19
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken x-forwarded-for
2018-10-26 00:13:46 10.0.0.1 GET /owa/ layout=mouse&CorrelationID=<empty>;&ClientId=YQLYPNOFKSDKWPEHODWG&cafeReqId=d74215fd-b921-4e6b-9826-3af8bf29e4ba; 443 john.doe#example.com 8.8.8.8 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/69.0.3497.100+Safari/537.36 - 200 0 0 62 114.41.44.77
2018-10-26 00:13:47 0.0.0.1 POST /Microsoft-Server-ActiveSync/default.eas User=john.doe#example.com&DeviceId=PATM1AFVF52GBCM8U028IBAGNK&DeviceType=iPhone&Cmd=Sync&CorrelationID=<empty>;&ClientId=0DWZQBEIPKLJLMMGW&cafeReqId=9dcd908d-6404-4bbb-ae07-0ea969dd6fc6; 443 john.doe#example.com 8.8.8.8 Apple-iPhone9C4/1601.404 - 200 0 0 62 114.41.44.77
You don't say if this is O365 or On-Prem or whether you configured EAS endpoints to be located by Autodiscover, or whether you have other EAS controls / attributes in place, like, DeviceID, MDM, etc...
As Lex Li, points out, start with Fiddler. It is like Wireshark for web apps. Even if you do not know the initial item you are after, the results from the fiddler trace are filterable by strings.
Meaning, you can just search for your OWA URL or a username/alias, device identity (if you are using that), EAS session information, etc. From there you take a look at the IIS logs and App logs for correlation data for what Fiddler gives you.
You can turn on EAS mailbox logging as well.
Set-CASMailbox alias -ActiveSyncDebugLogging:$true
Exchange ActiveSync (EAS) mailbox logs are protocol-level logs that
show the traffic between Exchange and the EAS device. This is
assuming of course, that the device actually connects, gets past IIS,
and into Exchange code. When troubleshooting EAS issues, this is
often the most useful piece of information. Gathering these logs can
be quick if you use PowerShell to do so, versus gathering them via
ECP.
See also:
Export-ActiveSyncLog
This cmdlet is available only in on-premises Exchange.
Use the Export-ActiveSyncLog cmdlet to parse the Internet Information
Services (IIS) logs and return information about Microsoft Exchange
ActiveSync usage, either on the screen or in an output file.
Update per the OP's response
OK, I missed your On-prem statement.
As for the URL, it's whatever, you published. the default is /owa, but of course that can be changed. So, look for the DNS or Exchange entry for your OWA internal/external URL. From your reverse proxy you should be able to get attempts to hit the OWA URL by users.
If you lean toward the logging approach (Exchange version and where these can be set is important), then you can turn on logging for the Directory Service (DS) and Information Store (IS) services, then look for the kinds of events OWA generates. you'll see six or seven events logged each time an OWA user logs on. You'll typically see event IDs 1170, 1136, 1137, 1007, and 1009, and you might see more than one of each. These events will tell you who logged on and when.
You can automate a user simulated user OWA logon, use this script...
PowerShell Script to Simulate Outlook Web Access URL User Logon
… monitoring that execution real time.
Similar approaches exist for EAS as well. Beyond that you need a 3rdP solution and there are several of those out there, for example Exoprise or manageengine..
remember anything that requires a logon, will show up in the Security event logs as success / failure events.
I was trying to find traceroute program implementation for MS Windows that can be used by regular user (with no admin rights) and I could not find any. Those I could find (like tracetcp or nmap) require PCAP library and in order to install winpcap I think administration rights are required.
I don't know much about Windows internals but I'm wondering what is the 'magic' behind. If tracert shipped by MS with Win OS works fine for regular user (but it can use ICMP only) then is there any issue (technical limitation) with setting TTL for TCP/UDP packet by regular user and receiving respective response on the socket such as:
ICMP: TTL expired in transit
UDP: port unreachable
and probably few others (like TCP RST, ICMP host unreachable etc)?
So basically:
if there is no issue why there is no reasonable traceroute implementation
for windows?
if there is a technical limitation for TCP/UDP then why
original MS ICMP traceroute works fine for non admin users?
I know that the most popular linux traceroute with -T option (for using SYN probes) requires root priviliges too but I'm assuming it's just because it does not want to complete full TCP handshake and sending RST after receiving SYN-ACK may be restricted for root. Anyway as longs as TTL can be set by reqular user (for UDP it seems to work fine) then I would imagine TCP traceroute completing full TCP handshake should be possible to implement for non root linux users?
And by the way ICMP traceroute also needs admin rights because of using RAW sockets but surprisingly for Windows it does not seem to be an issue.
Sadly, the simple answer to your question is "no, there is no native way to do that on a Windows box".
I am a bit unsure about your specific usecase, but one route to go is evaluate if Power Shell has more functionality to help you out. Jose Baretto from Microsoft wrote an article about Power Shell equivalents for common networking commands. You can find it here:
https://blogs.technet.microsoft.com/josebda/2015/04/18/windows-powershell-equivalents-for-common-networking-commands-ipconfig-ping-nslookup/
Failing that, your only option is (as you mention yourself) 3rd party tools, and you'll be hard press to find one that doesn't require elevated privileges.
I am using a small business 2003 server with Microsoft exchange 2003!! Both of them are fully updated to their newest versions!! However I am having a problem!! When I am trying to send an email from a PC in our domain (using outlook) to a specific external server it doesn't reach and I am getting this error message:
Your message did not reach some or all of the intended recipients.
Subject: test
Sent: 2/6/2015 10:17
The following recipients cannot be reached:
info#kekdei.gr on 2/6/2015 10:16
The recipient could not be processed because it would violate the security policy in force <ipa237.225.tellas.gr #5.7.0smtp;550 5.7.0 550 Your server IP address
[my address] does not have a valid reverse DNS entry [ipa237.225.tellas.gr].
I tried to send an email to that address using Hotmail and it reached the destination!!! any ideas?
I am attempting to use RawCap to sniff Windows localhost. However, contrary to its billed ability to do so, it is not working. I am starting it as follows:
rawcap 127.0.0.1 echo.pcap
I then run a little echo TCP client / server test app I wrote. I use the client to send some data over 127.0.0.1, and it indeed gets printed on the server and sent back to the client, where it is also printed. Howver, the packet capture file is empty.
I am running under Windows XP, SP3.
Is anybody aware of any other steps I need to take to get this to work?
Additional information added on 7/20/2011: I contacted the company that produces RawCap, and they suggested making sure that I have administrator privilege, that I try sniffing ping 127.0.0.1, and that I try enabling telnet and sniffing telnet 127.0.0.1. I do indeed have administrator privilege, RawCap sees ping packets, but it did not see telnet packets. I also tried sniffing 127.0.0.1 on another machine, and I failed there also.
Best,
Dave
I've been in contact with the author of RawCap, and he indicated that I found a bug where Windows XP SP 3 can't sniff TCP on localhost. He does not seem hopeful that he can fix it. If any more useful information comes along, I will, in an attempt to help the community, comment on this answer.
I would like to have alternate SMTP and POP3 servers on my local machine, for testing code that sends mails and waits for a response, even when I'm offline. GPRS rates in SA are quite prohibitive, so I try and avoid them where possible. I would like to have a test SMTP address instead of my routine Google one, and that SMTP server must be able to send mail to my local POP3 server, where my mail client can retrieve that mail.
How can I go about this on Windows 7 Home Premium?
I'm assuming your program that sends email can specify the smtp server address.
If so, then you need to install your own personal mailserver and configure your program to use localhost (127.0.0.1) as your smtp server. (When I say personal, I mean in the sense that you want something which does not have heavy system requirements.)
Years ago (before broadband and gmail) I used Surgemail (from http://netwinsite.com/surgemail/) on my home computer (It was free for up to 5 users)
But there are loads or others, for example http://www.hmailserver.com or Mercury 32 (from http://www.pmail.com/overviews/ovw_mercwin.htm)
You might think this is overkill, as these programs will probably do much more than you need, but I was surprised at how much they can do without needing a high spec machine. (From example, I was probably running Surgemail on a Pentium III with 1Gb of Ram)