Announcement

Collapse

Welcome to ShoreTelForums.com

Welcome to ShoreTelForums.com!

This site was created as a place to share stories, tips, and troubleshooting help with ShoreTel/Mitel systems. ShoreTel/Mitel is obviously the MOST exciting VoiP platform on the market right now, and we realized there was no centralized place to discuss this platform, but now there is. Please feel free to join and share your experiences.

Please Note: This site IS NOT owned, funded, or managed by ShoreTel/Mitel, Inc. although you may find ShoreTel/Mitel employees sharing there experiences and expertise. If you would like more information on ShoreTel/Mitel systems, contact BTX at [email protected]

As always please support the advertisers that help support our site.

Thank You,
BTX
See more
See less
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    Port 25 trace for Win Server 2003

    A week ago, we had an employee click on an email link that installed a trojan horse in her computer. That computer started spitting out spam through port 25 until I caught it. I have since blocked that port from forwarding outside our network. I have also added logging to note when a computer attempts to forward to an outside ip through 25.
    About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
    64.18.6.10 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.11 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.13 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.14 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 209.181.247.105 - 510 packets
    Service: smtp (tcp/25) - 510 packets
    Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
    My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
    All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
    Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
    Thanks in advance.
    Brad
    Tags: None
  • #2
    First
    Are any of the IP address listed other Shoretel DVMs or remote Shoretel Servers on sites?
    If so, then Shoretel communicates with each DVM and DVM back to HQ via SMTP port 25

    If not
    You can view the Vmail log file under \Shoreline Data\Logs
    Search for the email addy, this will give you the ID of the user who may have this Email addy set up
    If you wish to do it real time and create a script that parses the Vmail log?
    From the command prompt \Shoreline Communication\Shoreline Server\ Do
    showlog vmail

    This will show real time what is going on, you can pipe that to a another file and parse the info, like createing your own snoop script

    Also have you a Anti-Virus installed, You may want to install McAfee and run it, I personally do not like Symantec

    Originally posted by BBateman View Post
    A week ago, we had an employee click on an email link that installed a trojan horse in her computer. That computer started spitting out spam through port 25 until I caught it. I have since blocked that port from forwarding outside our network. I have also added logging to note when a computer attempts to forward to an outside ip through 25.
    About once an hour, I have noticed that the Shoretel VM machine is trying to contact the following ip's:
    64.18.6.10 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.11 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.13 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 64.18.6.14 - 300 packets
    Service: smtp (tcp/25) - 300 packets
    To 209.181.247.105 - 510 packets
    Service: smtp (tcp/25) - 510 packets
    Whois shows me that it is an email company called Postini which is an email hosting service in Nor Cal.
    My question: how can I find out the app that is responsible for sending this type of traffic out? I have looked through the event viewer (win server 2003) and shows me that the smtp event has failed (over and over) but does not list the offending app.
    All that is running on the box is LogMeIn, RMS (call accounting software), and of course Shoretel VM.
    Shutting off LogMeIn and RMS doesn't seem to affect the transmissions.
    Thanks in advance.
    Brad
    Last edited by Jlorenz; 09-01-2008, 09:50 AM.

    Comment

    • #3
      No... no other DVMs although it is interesting that multiple DVMs use 25.
      I will check out the Vmail log. Did not know that even existed.
      Great info...thanks
      I was thinking of intercepting that traffic and redirect it to my own email just to determine what is being transmitted. We use RedHat and could do a one line iptables script. I expect to find out that ST is not the culprit.
      Originally posted by Jlorenz View Post
      First
      Are any of the IP address listed other Shoretel DVMs or remote Shoretel Servers on sites?
      If so, then Shoretel communicates with each DVM and DVM back to HQ via SMTP port 25

      If not
      You can view the Vmail log file under \Shoreline Data\Logs
      Search for the email addy, this will give you the ID of the user who may have this Email addy set up
      If you wish to do it real time and create a script that parses the Vmail log?
      From the command prompt \Shoreline Communication\Shoreline Server\ Do
      showlog vmail

      This will show real time what is going on, you can pipe that to a another file and parse the info, like createing your own snoop script

      Also have you a Anti-Virus installed, You may want to install McAfee and run it, I personally do not like Symantec

      Comment

      • #4
        Originally posted by BBateman View Post
        No... no other DVMs although it is interesting that multiple DVMs use 25.
        I will check out the Vmail log. Did not know that even existed.
        Great info...thanks
        I was thinking of intercepting that traffic and redirect it to my own email just to determine what is being transmitted. We use RedHat and could do a one line iptables script. I expect to find out that ST is not the culprit.
        The HQ and DVMs transmit all messages via SMTP to each other, Thus the SMTP failure you will see in quicklook.

        Just keep this in your tool box, if your ever experiancing SMTP failure between HQ and DVM or DVM to HQ

        go to
        \Shoreline Communication\Shoreline Server\
        Type cfg
        a new prompt will appear a cfg diagnostic

        Type lserv (Thats L for List Serv - This will display all the ShoreTel Serves in the system)

        type sendpng <Name Listed lserv> ((Note You cannot ping the same machine you run this on))

        So example lets say you have a DVM named site1 and HQ named headquarters

        the command line to SMTP ping the DVM from HQ would be
        sendpng site1

        the command line to SMTP ping the HQ from DVM would be
        sendpng headquarters

        (Note Not Cap sensitive)

        If you get a failure then SMTP port 25 is either blocked, Not reachable or if named changed on Server.....

        Comment

        Previous template Next
        Working...
        X