ocram6616967 Posted October 9, 2012 Share Posted October 9, 2012 Hi guys. I've an email domain and I'd like to discover the server name (pop and smtp) of that email. How can I do? Also, if possible, the port of every server... Thanks Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted October 9, 2012 Share Posted October 9, 2012 Assuming that they haven't documented the servers on their public web pages (ISPs usually do, private companies won't) then to find the inbound smtp servers you can use nslookup or dig. Just set the type to mx and it should list the mail servers for delivering mail to that domain. If you are looking for the outbound mail servers and pop servers then that can be difficult. Assuming that you have a range of IP's for their network I would start by doing reverse lookups on the whole range and see if any report a hostname like POP, MAIL, SMTP, IMAP, etc. If they don't then you could try resolving a set of hostnames using them and see any of them resolve. Failing that you may just have to port scan the entire range for open ports related to the services, though this will be very noisy and may get noticed. Quote Link to comment Share on other sites More sharing options...
digininja Posted October 9, 2012 Share Posted October 9, 2012 Talk to the ISP who host the domain for you, if you start scanning them you'll probably be breaking the law. Quote Link to comment Share on other sites More sharing options...
digip Posted October 9, 2012 Share Posted October 9, 2012 (edited) smtp, pop3 and imap, only use specific ports though. So a banner grab of all known mail ports, directly from a browser, should return either a time out, or error message, which in the case of error messages, confirms the service is on that port. If its the actual mailserver name you want, because frankly a site can say www.acmeco.com and have 25 open, but won't respond to requests to send mail unless internally they have DNS setup for say smtp.acmeco.com, so it comes down to the alias they have setup to actually listen, even when www.acmeco.com might by default show that port open. Only way to find that without speaking with the host, is dns records, if they allow poking around, ala, dig or nslookup. As for version of the software running on the port, either banner grab, or nmap scan for services can return the version of software on the port but as digininja explained, in most cases can be against the law depending on the part of the world you live in and the local laws where the server itself is located, which sometimes are two different municipalities, but they often have no problem extraditing people to other countries, aka Kim Dot Com I presume will have a long and lengthy court case for copyright infringement, whether he actually broke the law or not. Common smtp, pop, imap and secure mail ports: 25, 110, 143, 587, 585, 993 and 995. Edited October 10, 2012 by digip Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 9, 2012 Share Posted October 9, 2012 (edited) smtp, pop3 and imap, only use specific ports though. So a banner grab of all known mail ports, directly from a browser, should return either a time out, or error message, which in the case of error messages, confirms the service is on that port. If its the actual mailserver name you want, because frankly a site can say www.acmeco.com and have 25 open, but won't respond to requests to send mail unless internally they have DNS setup for say smtp.acmeco.com, so it comes down to the alias they have setup to actually listen, even when www.acmeco.com might by default show that port open. Only way to find that without speaking with the host, is dns records, if they allow poking around, ala, dig or nslookup. As for version of the software running on the port, either banner grab, or nmap scan for conversioning can return the version of software on the port but as digininja explained, in most cases can be against the law depending on the part of the world you live in and the local laws where the server itself is located, which sometimes are two different municipalities, but they often have no problem extraditing people to other countries, aka Kim Dot Com I presume will have a long and lengthy court case for copyright infringement, whether he actually broke the law or not. Common smtp, pop, imap and secure mail ports: 25, 110, 143, 587, 585, 993 and 995. Just adding to what Digip said, if your domain name is ocram6616967.com, your email records will generally be in the following format. mail.ocram6616967.com mx.ocram6616967.com smtp.ocram6616967.com pop3.ocram6616967.com You need to ping each and verify if you can get any respose back. If you don't get any response back, it could mean, they are not setup or haven't been created, in which case, you will need to contact your domain register or ISP to have them created. Edited October 9, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 10, 2012 Author Share Posted October 10, 2012 Just adding to what Digip said, if your domain name is ocram6616967.com, your email records will generally be in the following format. mail.ocram6616967.com mx.ocram6616967.com smtp.ocram6616967.com pop3.ocram6616967.com You need to ping each and verify if you can get any respose back. If you don't get any response back, it could mean, they are not setup or haven't been created, in which case, you will need to contact your domain register or ISP to have them created. Ok thanks. How can i ping this email records with backtrack/ubuntu ? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted October 10, 2012 Share Posted October 10, 2012 Ok thanks. How can i ping this email records with backtrack/ubuntu ? Just use the normal ping command. For example, Ping google.com[/CODE] Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 10, 2012 Author Share Posted October 10, 2012 Just use the normal ping command. For example, Ping google.com[/CODE]OK! So, if I want ping pop3.example.com, I must use the command: ping pop3.example.com... Isn't it? Quote Link to comment Share on other sites More sharing options...
digip Posted October 10, 2012 Share Posted October 10, 2012 (edited) You can try that by guessing the names like pop3.somesite.com, but an nmap scan of the domain, will tell you 1, what ports are open, and 2, the version of the services on each port. Also, DNS queries can help identify what and if, they actually use different naming schema for the pop, imap, and smtp servers, like using nslookup or dig to identify mx records, a, cname, txt records, etc. Or, go third party, and just pop the domain name into eWhois ( http://www.ewhois.com/ ) and then look under the DNS tab for what comes back, might be publicly available and often list the mail servers as well as name servers for the domain. Forgot, quick note, nmap can also do zone transfers for sites that are vulnerable, and sometimes, just give you all the names at once, but its kind of a 50/50 chance a host hasn't locked that down. Edited October 10, 2012 by digip Quote Link to comment Share on other sites More sharing options...
ocram6616967 Posted October 11, 2012 Author Share Posted October 11, 2012 You can try that by guessing the names like pop3.somesite.com, but an nmap scan of the domain, will tell you 1, what ports are open, and 2, the version of the services on each port. Also, DNS queries can help identify what and if, they actually use different naming schema for the pop, imap, and smtp servers, like using nslookup or dig to identify mx records, a, cname, txt records, etc. Or, go third party, and just pop the domain name into eWhois ( http://www.ewhois.com/ ) and then look under the DNS tab for what comes back, might be publicly available and often list the mail servers as well as name servers for the domain. Forgot, quick note, nmap can also do zone transfers for sites that are vulnerable, and sometimes, just give you all the names at once, but its kind of a 50/50 chance a host hasn't locked that down. OKk. thanks, u've been very exhaustive! Now I've scanned pop.xxxxxxxx.com with nmap and the program gives me this result: PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s Which of these is the pop port? 110 or 995? And do you know what's the difference between pop3 and pop3s in the result? thanks Quote Link to comment Share on other sites More sharing options...
pasteywhitecoder Posted October 11, 2012 Share Posted October 11, 2012 OKk. thanks, u've been very exhaustive! Now I've scanned pop.xxxxxxxx.com with nmap and the program gives me this result: PORT STATE SERVICE 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s Which of these is the pop port? 110 or 995? And do you know what's the difference between pop3 and pop3s in the result? thanks Pop3 is the pop3 port and pop3s is the pop3s (or pop3 secure) port. The difference between pop3 and pop3s is similar to the difference between http and https. The latter is more secure. Quote Link to comment Share on other sites More sharing options...
digip Posted October 12, 2012 Share Posted October 12, 2012 What pasteywhitecoder said above me. Ones plain text, the other encrypted traffic. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.