Mweb proxy SMTP weirdness.

K

Kilo1

Member
Joined
Apr 29, 2010
Messages
27
Reaction score
0
What is mweb doing? I got a VPS box in the states, which I know for a fact that SMTP port is closed on. Yet when I do a basic nmap scan I get the following....

Host is up (0.29s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp open pptp
10000/tcp open snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds


This clearly shows SMTP is open, yet I can assure you that it's not. It's even got drop rules set in iptables for TCP 25.

Try telnet to this same IP you get a SMTP interceptor of some sort....

C:\Users\kilo>telnet 216.231.132.59 25

220 dbn-redirect02.mweb.co.za ESMTP Exim 4.77 Mon, 30 Apr 2012 20:44:33 +0200

What are they doing and what for? This is my question.
 
Last edited:
uptate:

It seems even IS DNS servers are mail relays.... wtf.

Nmap scan report for dnscache1.is.co.za (168.210.2.2)
Host is up (0.027s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp closed domain
 
Last edited:
Further inspection shows that even when connecting to legitimate SMTP servers on port 25, these are redirected to 220 dbn-redirect02.mweb.co.za ESMTP. The only reason for this I can think of is to ensure mail is relayed regardless of smtp settings in various clients that are on the network.
 
Kilo1 said:
What is mweb doing? I got a VPS box in the states, which I know for a fact that SMTP port is closed on. Yet when I do a basic nmap scan I get the following....

Nmap scan report for loki.*******.za.net (216.121.***.***)
Host is up (0.29s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
1720/tcp filtered H.323/Q.931
1723/tcp open pptp
10000/tcp open snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 8.56 seconds


This clearly shows SMTP is open, yet I can assure you that it's not. It's even got drop rules set in iptables for TCP 25.

Try telnet to this same IP you get a SMTP interceptor of some sort....

C:\Users\kilo>telnet 216.231.132.59 25

220 dbn-redirect02.mweb.co.za ESMTP Exim 4.77 Mon, 30 Apr 2012 20:44:33 +0200

What are they doing and what for? This is my question.
Click to expand...

Hi kilo1

What is your SMTP settings currently and are you using your own email address and MWEB as your ISP?
 
Yes I'm using Mweb uncapped, but I'm not sending mail via this connection. I'm preforming scans to hosts that I know do not have SMTP open, yet I still see it open and intercepted. I just want to know the function of intercepting my outbound SMTP traffic. Does it help with spam or malware infected zombies?
 
Last edited:
Ive also had problems with my mweb email, and Vox accounts, when using VOX its an SMTP error, so changed to smtp.telkom.co.za, when using my mweb email its a pop and smtp problem, so I just forward all my mweb mail to my VOX address, according to some oke I know, its telkom denying something or other because of spam, Mweb guy do you know anything about this? :confused:
 
I heard about smtp problems with Mweb the other day,(specifically using 3rd party smtp, with auth). but me being a loyal mweb customer I dismissed it as user error. BUT, based on what I've seen tonight, there is definitely some SMTP intercepting going on which may indeed cause unforeseen issues. I know this because we use the same SMTP redirect technique with our WiFi hotspots. I just had no idea Mweb would be using the same on their DSL network. MWEB Guy, can you shed some light on this?
 
Last edited:
NMAP scanned from my Mweb DSL connection at home:
-----------------------------------------------------
Nmap scan report for dnscache1.is.co.za (168.210.2.2)
Host is up (0.027s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp closed domain

NMAP scanned from my VPS server in the USA:
---------------------------------------------
root@loki:/# nmap 168.210.2.2

Starting Nmap 5.00 ( http://nmap.org ) at 2012-04-30 15:29 CDT
Interesting ports on dnscache1.is.co.za (168.210.2.2):
Not shown: 999 filtered ports
PORT STATE SERVICE
53/tcp closed domain

When using my Mweb DSL, why do I see port 25 open on the IS DNS server, it's pretty obvious it's not.
 
Last edited:
Lol,you may want to search the forum for this ;)

Port25 is redirected on Mweb (and Webafrica among others) home connections to their own relay servers for antispam purposes,should you wish to use external SMTP you can use the alternate submission port of 587
 
Thanks dude! I did search briefly but it turned up nothing. SMTP redirection is a bit sneaky though. I've heard its been causing some issues for people using 3rd party smtp with authentication. I didn't believe it until tonight and saw it for myself.
 
I understand why they do it, but wanted MWEB Guy to explain it lol. They should give us the choice tho. I'm paying for internet, and I don't want any interference with traffic, inbound or outbound by default.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X