Port 25 trace for Win Server 2003

[BBateman]

A week ago, we had an employee click on an email link that installed a trojan horse in her computer. That computer started spitting out spam through port 25 until I caught it. I have since blocked that port from forwarding outside our network. I have also added logging to note when a computer attempts to forward to an outside ip through 25.
About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
64.18.6.10 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.11 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.13 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.14 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 209.181.247.105 - 510 packets
Service: smtp (tcp/25) - 510 packets
Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
Thanks in advance.
Brad

[Jlorenz]

First
Are any of the IP address listed other Shoretel DVMs or remote Shoretel Servers on sites?
If so, then Shoretel communicates with each DVM and DVM back to HQ via SMTP port 25

If not
You can view the Vmail log file under \Shoreline Data\Logs
Search for the email addy, this will give you the ID of the user who may have this Email addy set up
If you wish to do it real time and create a script that parses the Vmail log?
From the command prompt \Shoreline Communication\Shoreline Server\ Do
showlog vmail

This will show real time what is going on, you can pipe that to a another file and parse the info, like createing your own snoop script

Also have you a Anti-Virus installed, You may want to install McAfee and run it, I personally do not like Symantec

Quote:

Originally Posted by BBateman

A week ago, we had an employee click on an email link that installed a trojan horse in her computer. That computer started spitting out spam through port 25 until I caught it. I have since blocked that port from forwarding outside our network. I have also added logging to note when a computer attempts to forward to an outside ip through 25.
About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
64.18.6.10 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.11 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.13 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 64.18.6.14 - 300 packets
Service: smtp (tcp/25) - 300 packets
To 209.181.247.105 - 510 packets
Service: smtp (tcp/25) - 510 packets
Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
Thanks in advance.
Brad

[BBateman]

No... no other DVMs although it is interesting that multiple DVMs use 25.
I will check out the Vmail log. Did not know that even existed.
Great info...thanks
I was thinking of intercepting that traffic and redirect it to my own email just to determine what is being transmitted. We use RedHat and could do a one line iptables script. I expect to find out that ST is not the culprit.

Quote:

Originally Posted by Jlorenz

First
Are any of the IP address listed other Shoretel DVMs or remote Shoretel Servers on sites?
If so, then Shoretel communicates with each DVM and DVM back to HQ via SMTP port 25

If not
You can view the Vmail log file under \Shoreline Data\Logs
Search for the email addy, this will give you the ID of the user who may have this Email addy set up
If you wish to do it real time and create a script that parses the Vmail log?
From the command prompt \Shoreline Communication\Shoreline Server\ Do
showlog vmail

This will show real time what is going on, you can pipe that to a another file and parse the info, like createing your own snoop script

Also have you a Anti-Virus installed, You may want to install McAfee and run it, I personally do not like Symantec

[Jlorenz]

Quote:

Originally Posted by BBateman

No... no other DVMs although it is interesting that multiple DVMs use 25.
I will check out the Vmail log. Did not know that even existed.
Great info...thanks
I was thinking of intercepting that traffic and redirect it to my own email just to determine what is being transmitted. We use RedHat and could do a one line iptables script. I expect to find out that ST is not the culprit.

The HQ and DVMs transmit all messages via SMTP to each other, Thus the SMTP failure you will see in quicklook.

Just keep this in your tool box, if your ever experiancing SMTP failure between HQ and DVM or DVM to HQ

go to
\Shoreline Communication\Shoreline Server\
Type cfg
a new prompt will appear a cfg diagnostic

Type lserv (Thats L for List Serv - This will display all the ShoreTel Serves in the system)

type sendpng <Name Listed lserv> ((Note You cannot ping the same machine you run this on))

So example lets say you have a DVM named site1 and HQ named headquarters

the command line to SMTP ping the DVM from HQ would be
sendpng site1

the command line to SMTP ping the HQ from DVM would be
sendpng headquarters

(Note Not Cap sensitive)

If you get a failure then SMTP port 25 is either blocked, Not reachable or if named changed on Server.....