Jump to content

Find Mail Servers


ocram6616967
 Share

Recommended Posts

Assuming that they haven't documented the servers on their public web pages (ISPs usually do, private companies won't) then to find the inbound smtp servers you can use nslookup or dig. Just set the type to mx and it should list the mail servers for delivering mail to that domain.

If you are looking for the outbound mail servers and pop servers then that can be difficult. Assuming that you have a range of IP's for their network I would start by doing reverse lookups on the whole range and see if any report a hostname like POP, MAIL, SMTP, IMAP, etc. If they don't then you could try resolving a set of hostnames using them and see any of them resolve.

Failing that you may just have to port scan the entire range for open ports related to the services, though this will be very noisy and may get noticed.

Link to comment
Share on other sites

smtp, pop3 and imap, only use specific ports though. So a banner grab of all known mail ports, directly from a browser, should return either a time out, or error message, which in the case of error messages, confirms the service is on that port. If its the actual mailserver name you want, because frankly a site can say www.acmeco.com and have 25 open, but won't respond to requests to send mail unless internally they have DNS setup for say smtp.acmeco.com, so it comes down to the alias they have setup to actually listen, even when www.acmeco.com might by default show that port open. Only way to find that without speaking with the host, is dns records, if they allow poking around, ala, dig or nslookup. As for version of the software running on the port, either banner grab, or nmap scan for services can return the version of software on the port but as digininja explained, in most cases can be against the law depending on the part of the world you live in and the local laws where the server itself is located, which sometimes are two different municipalities, but they often have no problem extraditing people to other countries, aka Kim Dot Com I presume will have a long and lengthy court case for copyright infringement, whether he actually broke the law or not.

Common smtp, pop, imap and secure mail ports: 25, 110, 143, 587, 585, 993 and 995.

Edited by digip
Link to comment
Share on other sites

smtp, pop3 and imap, only use specific ports though. So a banner grab of all known mail ports, directly from a browser, should return either a time out, or error message, which in the case of error messages, confirms the service is on that port. If its the actual mailserver name you want, because frankly a site can say www.acmeco.com and have 25 open, but won't respond to requests to send mail unless internally they have DNS setup for say smtp.acmeco.com, so it comes down to the alias they have setup to actually listen, even when www.acmeco.com might by default show that port open. Only way to find that without speaking with the host, is dns records, if they allow poking around, ala, dig or nslookup. As for version of the software running on the port, either banner grab, or nmap scan for conversioning can return the version of software on the port but as digininja explained, in most cases can be against the law depending on the part of the world you live in and the local laws where the server itself is located, which sometimes are two different municipalities, but they often have no problem extraditing people to other countries, aka Kim Dot Com I presume will have a long and lengthy court case for copyright infringement, whether he actually broke the law or not.

Common smtp, pop, imap and secure mail ports: 25, 110, 143, 587, 585, 993 and 995.

Just adding to what Digip said, if your domain name is ocram6616967.com, your email records will generally be in the following format.

mail.ocram6616967.com

mx.ocram6616967.com

smtp.ocram6616967.com

pop3.ocram6616967.com

You need to ping each and verify if you can get any respose back. If you don't get any response back, it could mean, they are not setup or haven't been created, in which case, you will need to contact your domain register or ISP to have them created.

Edited by Infiltrator
Link to comment
Share on other sites

Just adding to what Digip said, if your domain name is ocram6616967.com, your email records will generally be in the following format.

mail.ocram6616967.com

mx.ocram6616967.com

smtp.ocram6616967.com

pop3.ocram6616967.com

You need to ping each and verify if you can get any respose back. If you don't get any response back, it could mean, they are not setup or haven't been created, in which case, you will need to contact your domain register or ISP to have them created.

Ok thanks. How can i ping this email records with backtrack/ubuntu ?

Link to comment
Share on other sites

Ok thanks. How can i ping this email records with backtrack/ubuntu ?

Just use the normal ping command. For example,


Ping google.com
[/CODE]

Link to comment
Share on other sites

You can try that by guessing the names like pop3.somesite.com, but an nmap scan of the domain, will tell you 1, what ports are open, and 2, the version of the services on each port. Also, DNS queries can help identify what and if, they actually use different naming schema for the pop, imap, and smtp servers, like using nslookup or dig to identify mx records, a, cname, txt records, etc. Or, go third party, and just pop the domain name into eWhois ( http://www.ewhois.com/ ) and then look under the DNS tab for what comes back, might be publicly available and often list the mail servers as well as name servers for the domain.

Forgot, quick note, nmap can also do zone transfers for sites that are vulnerable, and sometimes, just give you all the names at once, but its kind of a 50/50 chance a host hasn't locked that down.

Edited by digip
Link to comment
Share on other sites

You can try that by guessing the names like pop3.somesite.com, but an nmap scan of the domain, will tell you 1, what ports are open, and 2, the version of the services on each port. Also, DNS queries can help identify what and if, they actually use different naming schema for the pop, imap, and smtp servers, like using nslookup or dig to identify mx records, a, cname, txt records, etc. Or, go third party, and just pop the domain name into eWhois ( http://www.ewhois.com/ ) and then look under the DNS tab for what comes back, might be publicly available and often list the mail servers as well as name servers for the domain.

Forgot, quick note, nmap can also do zone transfers for sites that are vulnerable, and sometimes, just give you all the names at once, but its kind of a 50/50 chance a host hasn't locked that down.

OKk. thanks, u've been very exhaustive! Now I've scanned pop.xxxxxxxx.com with nmap and the program gives me this result:

PORT STATE SERVICE

25/tcp open smtp

80/tcp open http

110/tcp open pop3

143/tcp open imap

443/tcp open https

993/tcp open imaps

995/tcp open pop3s

Which of these is the pop port? 110 or 995? And do you know what's the difference between pop3 and pop3s in the result? thanks

Link to comment
Share on other sites

OKk. thanks, u've been very exhaustive! Now I've scanned pop.xxxxxxxx.com with nmap and the program gives me this result:

PORT STATE SERVICE

25/tcp open smtp

80/tcp open http

110/tcp open pop3

143/tcp open imap

443/tcp open https

993/tcp open imaps

995/tcp open pop3s

Which of these is the pop port? 110 or 995? And do you know what's the difference between pop3 and pop3s in the result? thanks

Pop3 is the pop3 port and pop3s is the pop3s (or pop3 secure) port. The difference between pop3 and pop3s is similar to the difference between http and https. The latter is more secure.

Link to comment
Share on other sites

What pasteywhitecoder said above me. Ones plain text, the other encrypted traffic.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...