In the last few days I am getting a TON of requests for port 25 (smtp) in my log files (cisco firewall).... I dont ahve an SMTP server... is there a way to see what name/whatever they are try to send through? I have to assume (unless they are doing it by IP) that they are using a domain name as a entry for the smtp server settings on their end... can I find out what that domain is, and if its one of mine I can do some adjusting and redirect them back to themselves by pointing that subdomain or domain back at them?
Maybe a SMTP port sniffer and see what they are trying to send through?
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
I would suggest setting up a mail server (its not hard - I recommend mercury given its not going to be running for long, and the logging screens on that package are useful for diagnostics).
once you find out what the "from" and "to" addresses are that it is attempting to send to, you can contact the "sender" and then remove the server again :)
http://www.pmail.com/overv
(any windows workstation will do to run it on, from win95 onwards :)
Yes, sorry for delay.
I opened the port and found out that somehow the dns servers were forwarding my web server as the email smtp to some domains that didnt have mail setup on them.
I then started the email server as suggested in DaveHowe's suggestion and found out the domains and created spf records and MX records to block them and everything is now fine.
It also worked for another problem where google kept asking for something at port 81 and we jsut opened a site on 81 and made the response a permanent move with location back to google... google never came back to port 81 :)
Thanks again guys, sorry for the delay.
Business Accounts
Answer for Membership
by: jahboitePosted on 2009-01-16 at 00:43:07ID: 23391142
In order to get the remote host to give away this information, you'd have to open up this port to a machine on your network that could fake an smtp server - at the very least you'd want to send a banner upon successful connection and then hope that the remote host offers up a domain name.
Why not just get the remote hosts IP address from the cisco logs/alerts and figure out who's doing what from there. You could start with a rDNS query and a Whois lookup which should give you enough information to work out whether it's one of yours.