IIS and SMTP - Question for Sandy Regarding Connections

Author

Question for Sandy Regarding Connections

Curious_2k3

2007-08-01, 1:21 pm

Good Morning,

I have recently configured a new Windows Server 2003 IIS 6.0 SMTP Server. I
am not using Exchange, just SMTP. Everything is working fine, I can send
emails to our SharePoint 3 enabled document library internally as well as
from an external source.

I have relaying restricted except for allowable domains, IP's etc.

When I look at the SMTP Connections I can see 50-57 connections established
at any given time, without them relaying through my server. Are they
"acknowledging our presence" as a MX source? If not, what do they represent.

Thank you in advance.

Sanford Whiteman

2007-08-01, 7:18 pm

> When I look at the SMTP Connections I can see 50-57 connections
> established at any given time, without them relaying through my
> server. Are they "acknowledging our presence" as a MX source? If
> not, what do they represent.

Without looking at your logs, couldn't say which of these connections
are legit and which suspect. Do your logs show attempts to harvest
local usernames (sessions that end after a list of RCPT TOs to users @
your local domains) and/or attempts to relay (sessions that have RCPT
TOs @ remote, non-relay domains) with any frequency? Both will create
connections with no resulting message and so may seem gratuitous
relative to the size of your queue.

There's no such thing as an "acknowledgement" or "heartbeat"
connection from remote servers. Inbound connections are either
currently attempting to send data to you, or have finished sending
data and are pending closure by the TCP/IP stack. Note that because of
the second factor, depending on what utility you're using to get
connection stats, you may appear to have more inbound connections than
are actually active. On very high-traffic servers, the
half-closed/time_wait connections are found in correspondingly high
numbers and can suck up resources.

The closest one might find in your logs to an innocent
"acknowledgement" session is a sender address verification (SAV)
callback. Remote servers that use SAV will poke back into your MX to
ensure that a sender address exists. Frustratingly -- unless you do
log correlation to find the outbound connection that prompted the SAV
callback -- these connections look like one-off directory harvesting
attacks. [Reading the fine print can also help you tell them apart:
for example, SAV callbacks may use sender addresses like
"postmaster.sav.callback@example.com" to give you a visual cue.]

--Sandy

Curious_2k3

2007-08-02, 1:19 am

->Thank you for the response and information Sandy. After taking a closer
look at the logs, I believe they were relaying through.

->Before I attempted another question, I located and installed your 5xxsink.
Seems to have done the trick. Very straight foreward. Nicely done.

-> I know where to stop for excellent advice.

->Thanks again,

Curious

"Curious_2k3" wrote:

> Good Morning,
>
> I have recently configured a new Windows Server 2003 IIS 6.0 SMTP Server. I
> am not using Exchange, just SMTP. Everything is working fine, I can send
> emails to our SharePoint 3 enabled document library internally as well as
> from an external source.
>
> I have relaying restricted except for allowable domains, IP's etc.
>
> When I look at the SMTP Connections I can see 50-57 connections established
> at any given time, without them relaying through my server. Are they
> "acknowledging our presence" as a MX source? If not, what do they represent.
>
> Thank you in advance.
>
>

Sanford Whiteman

2007-08-02, 7:18 am

> ->Thank you for the response and information Sandy. After taking a closer
> look at the logs, I believe they were relaying through.

Sounds very likely. Any connection you don't understand at first is
usually up to something.

> ->Before I attempted another question, I located and installed your
> 5xxsink.
> Seems to have done the trick. Very straight foreward. Nicely done.

Cool! Do stop back.

--Sandy