Solved

Port 25 connections

Posted on 2003-10-21
7
888 Views
Last Modified: 2010-03-05
When an email server connects to port 25 to deliver mail, the Excahnge 5.5 server then reasigns the connection to a different port to continue the conversation, is this correct. I have ran a Netstat /an for anyone to look at and maybe give me an idea of what is going on. If someone could explain exactly which ports I should see on each side of the conversation, Foriegn vs. local address. Should all these ports be listening on my Exchange server? I have NT4.0 with Exchange 5.5.
Thanks a million



Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:25             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:27             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:110            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:143            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1563           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1810           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2061           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2062           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2063           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2064           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2086           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2087           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2088           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2089           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2107           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2108           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2109           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2110           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2112           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2113           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2122           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2123           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2124           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2125           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2126           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2127           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2137           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2138           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2141           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2142           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2143           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2145           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2360           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2412           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2514           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2533           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2553           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2560           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2565           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2568           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2572           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2576           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2578           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2582           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2586           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2591           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2594           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2597           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2598           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2603           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2605           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:2607           0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         127.0.0.1:1027         ESTABLISHED
  TCP    127.0.0.1:1027         127.0.0.1:1026         ESTABLISHED
  TCP    127.0.0.1:2024         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2060         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2060         127.0.0.1:2063         ESTABLISHED
  TCP    127.0.0.1:2063         127.0.0.1:2060         ESTABLISHED
  TCP    127.0.0.1:2085         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2085         127.0.0.1:2088         ESTABLISHED
  TCP    127.0.0.1:2088         127.0.0.1:2085         ESTABLISHED
  TCP    127.0.0.1:2106         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2106         127.0.0.1:2109         ESTABLISHED
  TCP    127.0.0.1:2109         127.0.0.1:2106         ESTABLISHED
  TCP    127.0.0.1:2121         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2121         127.0.0.1:2124         ESTABLISHED
  TCP    127.0.0.1:2124         127.0.0.1:2121         ESTABLISHED
  TCP    127.0.0.1:2140         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:2140         127.0.0.1:2143         ESTABLISHED
  TCP    127.0.0.1:2143         127.0.0.1:2140         ESTABLISHED
  TCP    192.168.1.26:25        66.150.235.115:17480   TIME_WAIT
  TCP    192.168.1.26:25        204.42.44.141:44867    ESTABLISHED
  TCP    192.168.1.26:25        208.35.152.17:60674    TIME_WAIT
  TCP    192.168.1.26:25        216.218.210.201:59883  TIME_WAIT
  TCP    192.168.1.26:137       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:138       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:139       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:636       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:993       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:995       0.0.0.0:0              LISTENING
  TCP    192.168.1.26:1563      65.218.138.108:25      CLOSING
  TCP    192.168.1.26:1810      216.91.17.67:25        CLOSING
  TCP    192.168.1.26:2086      192.168.1.54:1318      ESTABLISHED
  TCP    192.168.1.26:2086      192.168.1.54:1325      ESTABLISHED
  TCP    192.168.1.26:2107      192.168.1.54:1322      ESTABLISHED
  TCP    192.168.1.26:2107      192.168.1.54:1329      ESTABLISHED
  TCP    192.168.1.26:2163      64.12.138.120:25       TIME_WAIT
  TCP    192.168.1.26:2218      65.54.252.99:25        TIME_WAIT
  TCP    192.168.1.26:2255      64.12.138.57:25        TIME_WAIT
  TCP    192.168.1.26:2259      66.111.232.40:25       TIME_WAIT
  TCP    192.168.1.26:2288      204.127.134.23:25      TIME_WAIT
  TCP    192.168.1.26:2307      64.12.137.121:25       TIME_WAIT
  TCP    192.168.1.26:2360      65.54.254.140:25       SYN_SENT
  TCP    192.168.1.26:2370      204.127.134.23:25      TIME_WAIT
  TCP    192.168.1.26:2412      65.54.254.140:25       SYN_SENT
  TCP    192.168.1.26:2427      205.152.59.33:25       TIME_WAIT
  TCP    192.168.1.26:2449      12.102.240.23:25       TIME_WAIT
  TCP    192.168.1.26:2514      64.12.138.57:25        SYN_SENT
  UDP    0.0.0.0:135            *:*                    
  UDP    0.0.0.0:2062           *:*                    
  UDP    0.0.0.0:2087           *:*                    
  UDP    0.0.0.0:2108           *:*                    
  UDP    0.0.0.0:2112           *:*                    
  UDP    0.0.0.0:2113           *:*                    
  UDP    0.0.0.0:2123           *:*                    
  UDP    0.0.0.0:2126           *:*                    
  UDP    0.0.0.0:2127           *:*                    
  UDP    0.0.0.0:2137           *:*                    
  UDP    0.0.0.0:2138           *:*                    
  UDP    0.0.0.0:2142           *:*                    
  UDP    127.0.0.1:2024         *:*                    
  UDP    192.168.1.26:137       *:*                    
  UDP    192.168.1.26:138       *:*                    
0
Comment
Question by:Premiernc
7 Comments
 
LVL 1

Author Comment

by:Premiernc
ID: 9591318
p.s. This has been going on for a week or so now, the queues fill up to 30,000 + messages in less than an hour or so. Some have said this is a harvest attack, but my system should not be producing NDR's in response to a 550 relaying prohibited error. It seems somewhere along the line there is a compromised account bieng used, but as far as I can see, there is no way of seeing the account info being used to authenticate, even with logging SMTP events at maximum. I did get hit by the Swen virus yesterday. I cleaned it up successfully, however, it could have dropped it's own rogue SMTP server widget. How in NT4.0 can I see if there is something else running on my system listening on port 25. The services area doesn't show anything out of the ordinary and Fport does not run on NT4.0.
Thanks again
0
 
LVL 4

Expert Comment

by:subsoniq
ID: 9592225
no, SMTP connections stay on port 25.  All those other listening ports are not related to SMTP.  I use a freeware tool called Active Ports to see what processes are listening on what ports, you can find it here: http://www.protect-me.com/freeware.html.
0
 
LVL 1

Author Comment

by:Premiernc
ID: 9592499
Should I see port 25 on the local port side or the foriegn side?
0
Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

 
LVL 4

Expert Comment

by:subsoniq
ID: 9592667
local, although if you're sending mail you'll see it on the foreign side, that will be the server you're sending mail to.
0
 
LVL 12

Expert Comment

by:mburdick
ID: 9596075
The machine that is receiving the message will always be using port 25 as this is the well-known port for SMTP e-mail. The remote machine will be using a random high port (above 1023).

netstat -na will show you all connections, but do this instead: (netstat -na | findstr /c:":25") This command will show you all connections that use port 25 (and maybe a couple of others). If the port 25 shows in the left column, that's a connection where you're receiving mail. If it shows in the right column, you're sending mail.

As for all of the other ports, they're "normal". The description you gave about moving ports is accurate with respect to the way the Outlook client connects to the Information store. However, port 25 is never used as part of this communication.
0
 
LVL 16

Accepted Solution

by:
_nn_ earned 500 total points
ID: 9597610
Hi Premiernc,

I took a bit time to look at your question history and it seems that this problem is bugging you since a long time. I've also noticed that you've got some knowledge of the SMTP and related protocols. Since you apparently can't debug the sessions with the builtin logging tools of Exchange, I would propose you to get one level down and proceed to do some network sniffing, in order to be able to actually "see" what's happening. Well, that's on of the things I'd do if I were in your shoes, there are possibly other methods.

Since your server gets rapidly hit, it's probably not reasonable to sniff directly on the server and I think the best solution would consist in using a hub (not a switch, so that network traffic can be sniffed) and putting the Exchange server together with another machine on it. I assume you'll be using Windows-based boxes, so I propose that you install Ethereal (download at http://www.ethereal.com and if necessary, also get WinPcap at http://winpcap.polito.it) on this second box. Start a capture session with a filter set to "tcp port 25". Considering the current state, you'll probably see a flood of packets. Wait a bit and stop recording. In the presented listing, select one packet (one involving 192.168.1.26:smtp on one side and a "suspicious" IP address on the other side) and choose "Follow TCP stream". Hopefully, it'll show you how these mails are coming through the defenses.

As for knowing which applications have ports opened on the server, use this tool :
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Hope it'll help.
0
 
LVL 1

Author Comment

by:Premiernc
ID: 9601566
I have TCPview and it works great. What is "system2" in the left hand column? I did run the TCPview and all the listening ports belong to exchange. I did make a routing security change in exchange that seemed to help. I changed the routing restrictions page in the IMC to say "only users with these IP addresses" and unchecked user who authenticate. This works fine for the private addresses in house, I just put in 192.168.1.0 and the mask of 255.255.255.0 and it worked as a range of IP's. However, even when I put in the public IP of an outside machine with the correct Mask, it does not let me relay. This could be a good solution if this setting actually works properly.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now