Detecting suspicious SMTP servers
Compromised servers might have rogue SMTP servers installed and abused by spammers. System administrators can use Nmap to help them monitor mail servers in their network.
This recipe shows how to detect rogue SMTP servers with Nmap.
How to do it...
Open your terminal and enter the following Nmap command:
$ nmap -sV --script smtp-strangeport <target>
If a mail server is found on a nonstandard port, it will be reported in the script output section:
PORT STATE SERVICE    VERSION 9999/tcp open   ssl/smtp Postfix smtpd |_smtp-strangeport: Mail server on unusual port: possible malware
How it works...
The smtp-strangeport
script was submitted by Diman Todorov. It detects SMTP servers running on nonstandard ports, which is an indicator of rogue mail servers. If an SMTP server is found running on a port other than 25
, 465
, and 587
, this script will notify you.
The -sV --script smtp-strangeport...