CDONTS & SMTP - We are being RELAYED off of! 3

[matcom]

argh!

please help. i have been using asp forms and CDONTS on our Exchange server. i realize i HAVE to have the SMTP service started for the emails to work

our web server is being relayed as a result and this is causing massive problems. is there a way to stop this from happening WITHOUT changing all the code to CDOSYS (which i know nothing about)?

is there a utility or something? i have about 30 different forms and applications that this would affect.

thank you!

 

[matcom]

to clarify:

the reason for the CDONTS is that i need to send the results of the forms both to an email and a database. thats why i am using CDONTS

sorry

 

[skotman]

yes you need to have your security settings in the Virtual SMTP server stricter.

in the IIS MMC find the SMTP Virtual Server, right click on it, click on properties.

Click on the access tab, then the relay button, make sure only the list below is checked.

You can also check, connection, in there ONLY grant the IPs on your network, or just that server.
Another thing I do is change my SMTP port to something way ip there in the 9000 area.

Make sure you restart the SMTP service, then run an relay test (

http://www.abuse.net/relay.html)

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[lebisol]

skotman has made a good point....make SURE that u limit your SMTP relay to only communicate with YOUR relaying server...otherwise anyone outhere can write a CDONTS script and sniff your server our....hence free mailer-spammer for them.

> need more info?
:: don't click HERE ::

 

[matcom]

Thanks Scott.

One follow up question. When i try to find my SMTP virtual server, it ONLY shows up in my services.msc, NOT my IIS. does this mean that SMTP wasn't installed correctly? the server has been set up this way for 3 years. i've only been here 7 months and sadly, am not the sysadmin (although sometimes it feels like it )

THANK YOU AGAIN

 

[skotman]

I'm assuming this is win2k since you mentioned not wanting to convert to CDOSYS (Which is a MUCH better choice because it means you don't have to run a virtual smtp server).

Try to add a new SMTP Server to the IIS snap in. Then configure it that way, untill then, umm I'd say stick the server behind a firewall and block incoming SMTP requests.

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[matcom]

how difficult is it to convert cdonts to cdosys? i have a feeling this would be a MASSIVE programming undertaking??

thanks again Scott. i'll work on setting up a new smtp in the meantime

 

[skotman]

It's not really, depending on how you have your code written.

If your code looks anything like my older code (no functions, lots of cookie cutter type of code) then yes it will be a semi-massive under taking. It really just involves replacing our CDONTS code with the CDOSYS code. If your luck, and your code has a function to call the CDONTS, then just replace the code in the function and your good to go.

Function sendMail(to,from,server,subject,txtBody, htmlBody)
	'Send mail via CDOSYS (win2k+ only)
	'Dimension variables 
	Dim objCDOSYSCon 
	
	'Create the e-mail server object 
	Set objCDOSYSMail = Server.CreateObject("CDO.Message") 
	Set objCDOSYSCon = Server.CreateObject ("CDO.Configuration") 
	
	'Out going SMTP server 
	objCDOSYSCon.Fields("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserver")[/URL] = "mail.scottspad.com" 
	objCDOSYSCon.Fields("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpserverport")[/URL] = 25 
	objCDOSYSCon.Fields("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/sendusing")[/URL] = 2
	objCDOSYSCon.Fields("[URL unfurl="true"]http://schemas.microsoft.com/cdo/configuration/smtpconnectiontimeout")[/URL] = 60 
	objCDOSYSCon.Fields.Update 
	
	'Update the CDOSYS Configuration 
	Set objCDOSYSMail.Configuration = objCDOSYSCon 
	objCDOSYSMail.From = from 
	objCDOSYSMail.To = to 
	objCDOSYSMail.Subject = subject 
	'objCDOSYSMail.HTMLBody =  htmlBody 'html enhanced email message goes here
	objCDOSYSMail.TextBody = txtBody 
	objCDOSYSMail.Send
	
	'Close the server mail object 
	Set objCDOSYSMail = Nothing 
	Set objCDOSYSCon = Nothing
End Function

Good luck, I'm still learning CDOSYS so I'm not sure what that URL in there is for, if someone could answer that it'd be gravy

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[lebisol]

matcom here is a link:

http://www.maddogs-asp.com/show_tutorial.asp?TutorialID=160

Hi Scott!
can u tell us what is the big deal with NOT running SMTP
if dont mind follow my thoguhts here:
...CDOSYS does the same except "creates the server.object(virtual SMTP) on the fly"....should we be concerned with "CDOSYS Injection" since u would have to give 'public' access to this server's object creation?
also, in case of disaster and need to stop the "mailing" u would have to keep track of which page.asp has the script attached and then temp. remove them from public access....woudn't it be more easier to control STMP sever it self?
thanx for the feedback!

thanx!

> need more info?
:: don't click HERE ::

 

[skotman]

the thing with not running a virtual smtp server is the security, it's one less service that has to be secured, while I understand your concerns I don't think that someone could use a 3rd party server to relay off your CDOSYS pages.

Using injection how ever, you just need to write your code correctly and be able to watch for it. I don't allow people to type in TO addresses in my forms, nor do I let them excede a certain number of chars.

I think an injection type of attack is highly unlikely, if you fall victim to one, then chances are you have other security issues out there.

Scott Heath

http://www.scottspad.com

AIM: orange7288

 

[matcom]

wow you all are fantastic. ok. i have pasted my CDONTS code below. if i understand you right, to get CDOSYS to work all i have to do is change the designation(?)

code follows:

'====================================================================
' Set up variables:
' myCDONTSMail = A CDONTS mail object.
' strFrom = A string containing the source e-mail address.
' strTo = A string containing the destination e-mail address.
' strSubject = A string containing the subject of the e-mail.
' strBody = A string containing the body of the e-mail.
'====================================================================
Dim myCDONTSMail
Dim strFrom
Dim strTo
Dim strSubject
Dim strBody

<%
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
' Assign the source e-mail address. Change this to your e-mail
' address.
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
strFrom=Request.Form("Email&quot

'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
' Assign the destination e-mail address. In this example, get the
' e-mail address from the form field called "EMail".
' You can customize this by removing the EMail form field and
' changing the following line to this:
' strTo="example@microsoft.com" ß Change this to your e-mail
' address.
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
strTo="leads@alliedfamily.com"

'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
' The following line is the subject of the e-mail. You can change
' this to a subject that is customized to your liking.
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
strSubject = "Allied Family Email Lead"

'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
' The following lines create the body of the message. This can be
' anything you want it to be.
'%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
strBody="The following information was submitted:" & Chr(13)
strBody = strBody & Request.Form("FirstName&quot & " "
strBody = strBody & Request.Form("LastName&quot
strBody = strBody & Chr(13) & Request.Form("Address&quot & Chr(13)
strBody = strBody & Request.Form("City&quot & Chr(13)
strBody = strBody & Request.Form("State&quot & Chr(13)
strBody = strBody & Request.Form("Zip&quot & Chr(13)
strBody = strBody & Request.Form("Email&quot & Chr(13)
strBody = strBody & Request.Form("Phone&quot & Chr(13)
strBody = strBody & Request.Form("Comment&quot

'====================================================================
' The SET statement creates the CDONTS mail object in preparation
' for sending the e-mail message.
'====================================================================
Set myCDONTSMail = CreateObject("CDONTS.NewMail&quot

'====================================================================
' The following line sends the mail message using the source e-mail,
' destination e-mail, subject, and body that were defined earlier.
'====================================================================
myCDONTSMail.Send strFrom,strTo,strSubject,strBody

'=== Set the CDONTS mail object to NOTHING to free resources.
Set myCDONTSMail = Nothing


%>

 

[onpnt]

faq333-2962

should help you

___________________________________________________________________
[sub]

http://www.onpnt.com

The answer to your ??'s may be closer then you think.
Check out Tek-Tips knowledge bank by clicking the FAQ link at the top of the page[/sub]

 

[lebisol]

fair enough!
...and having less serverices running is always a good thing when it comes to MS.
many thanx !

just curiours: have u noticed any performance difference in the page/script execution between the CDONTS and CDOSYS

side note:
some people have reported failure of CDONTS scripts on win2003* server and their solution was using CDOSYS even if the SMPT server was running on the same web server where ASP pages were executed.

> need more info?
:: don't click HERE ::

 

[skotman]

The one form I've got using it isn't being heavily used as I'm just rolling out the app. But I'll keep an eye on it.

Scott Heath

http://www.scottspad.com

AIM: orange7288