i am writing here because i was advised at forums.iis.net to ask my question
here.
I am configuring a shared hosting server under iis 7.5. I expect my
customers to try sending SPAM's from their scripts through IIS SMTP and i
want to have a means to track down and disable spamming sites. I have
configured iis smtp to use "Basic Authentification" to make every user login
into smtp server before sending mail. I have also enabled IIS SMTP logging
and marked every field in W3C extended log format to be logged.
Still, IIS SMTP does not log username that scripts are bound to use when
sending mail.
all i get in the log is client's fqdn as cs-username and the same fqdn as
cs-uri-query after AUTH command.
How can i make IIS SMTP log username, which is used to relay?

Hey Nanomage, Mailmage here (seriously, that was my handle when I first
got into SMTP).

You've highlighted a long-standing gap in the audit trail for IIS SMTP.
Note that with some SMTP AUTH mechanisms, there is no plain-text username
passed on the wire, so there would be nothing for IIS to log -- although
as you noticed it doesn't even log with AUTH LOGIN.

Bottom line: you are not going to get the AUTH username in the logs. So
you have to find workarounds. My advice is to use the root web.config to
hard-code one or more SMTP settings which are logged:

- SMTP sender address: if you want to lock an app down to using a single
envelope sender address (not just a single auth username/password),
hardcode the `from` attribute on the `smtp` element.

- Destination ip: the `host` attr on the `network` el. If your SMTP
service is bound to localhost, it will answer on 127.0.0.1, 127.0.0.2,
127.0.0.3, etc. Set each hosted client to connect to a different host
number. The client will then be instantly apparent in the logs, since
source = dest when you connect to a loopback IP.

-- Sandy




------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------

Thank you for your help. i will try some workaround, then.

"Sanford Whiteman" wrote:
[..]

Hello again.

I decided to create my own COM object, which does log usernames, and force
the customers into using it to send mail.

however, they are still able to send mail through either system.web.mail or
system.net.mail

How can i forbid them to do so, so that they would be bound to use my
custom-crreated object?


"nanomage" wrote:
[..]

> however, they are still able to send mail through either system.web.mail
> or
> system.net.mail
>
> How can i forbid them to do so, so that they would be bound to use my
> custom-crreated object?

To disable System.Net.Mail, use the SmtpPermission class:

http://msdn.microsoft.com/en-us/libr...ss(VS.80).aspx

To disable System.Web.Mail, unregister the underlying
CDOSys.dll/CDONTS.dll.

However, I would not really endorse what you're doing with the separate
object, since it means the user can't use documented System.Net.Mail
syntax. If you want them to be able to mail, it makes sense to let them
use the well-known class. I would recommend that you use the
restrict-by-IP method I described earlier (and still disable the old
System.Web.Mail).

-- Sandy



------------------------------------
Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
------------------------------------