Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

Protecting a WordPress Contact Form with reCAPTCHA

Wordpress Comments Off

Jun 112019

Having a contact form is one of the most important pages a web site can have. It enables you to receive communication for your audience or customers without having to provide a specific email address. Publishing an email address on your site while simple to implement and low-tech makes it easy for the email address to be harvested by site scraping tools used by spammers. A web based contact form solves this but it too can be exploited by automated bots or malicious visitors unless you implement an interactive mechanism like reCAPTCHA to validate form submissions. In this walk-through I will demonstrate how to setup a WordPress contact form using the free plugin Contact Form by WPForms and Google reCAPTCHA which is free too.

Setting up Google reCAPTCHA

Before setting up Contact Form by WPForms you should first configure a free reCAPTCHA account at Google reCAPTCHA. Click the Admin console button on the welcome page. After you login to your Google account you will be prompted to register the site where you plan to utilize reCAPTCHA. Enter a name your site, select which version of reCAPTCHA you want to use, enter your domain name, accept the Terms of Service, and then click Submit. ReCAPTCHA v2 will display series of pictures for validation to anyone attempting to submit your contact form. ReCAPTCHA v3 does not present any pictures during the validation process.

Once you have registered your domain name in the reCAPTCHA system you will be able to copy the reCAPTCHA site key and secret key. These keys will need to entered into the WPForms plugin settings from the WordPress admin Dashboard. Copy them into the Windows clipboard or Notepad to keep them handy.

Configuring Contact Form by WPForms with reCAPTCHA

Before you can configure a WordPress contact form you need to ensure your site’s SMTP settings are properly configured. Using the free plugin WP Mail SMTP by WPforms makes it incredibly easy to configure WordPress SMTP settings. This walk-through assumes you already have your SMTP settings configured.

Both Contact Form by WPForms and WP Mail SMTP by WPforms can be installed from your WordPress admin Dashboard. Simply search for them them in the WordPress Plugin Directory and then click Install Now for each. After they have been installed click the Activate button on the plugin properties.

After you activate Contact Form by WPForms click on the plugin settings menu. Do this before you configure your first form. From there you will see another menu item for reCAPTCHA. Click on it.

Now you can cut and paste the reCAPTCHA keys you saved earlier. Match the Type of reCAPTCHA you originally configured and then click Save.

Create a new contact form

After closing the reCAPTCHA settings, click on the WPForms menu. You should see something like the image below. Click Add New.

On the form’s Setup screen click Create Simple Contact Form.

On the next screen you will manage the various properties of the new contact form. Click the Settings menu. At the bottom of the General settings you will see the option to Enable Google Checkbox v2 reCAPTCHA. Click the checkbox next to it and then save the form. The contact form is ready for action. Simply embed the form’s shortcode in a WordPress page start using it.

Testing the contact form with reCAPTCHA

When you browse your site’s new contact page you will be required to prove you’re not a robot by clicking the reCAPTCHA checkbox before you can submit the form.

If there is any question about your authenticity you will be prompted to manually select a series of photos before continuing. If the validation isn’t completed properly the form will not be submitted.

Once the reCAPTCHA process is satisfied that you’re a real person the contact form will be allowed to be submitted.

In Summary

Having a contact form on your web site is great way to receive communication from your audience or customers however you have to make sure it’s not misused by automated bots or malicious visitors. The free WordPress plugin Contact Form by WPForms makes it easy to protect your contact form using Google reCAPTCHA to ensure only real people are using it. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

IIS 8.5 SNI – Fixing SSL_ERROR_BAD_CERT_DOMAIN

IIS, Windows Server 2012 Comments Off

Jun 022019

As you probably know SSL certificates use the https protocol to encrypt communication between your web browser and the web server hosting the web site you’re visiting. You can always tell when your session has been encrypted because your browser will display a lock icon near the address of the site in the browser’s location bar. If your web site doesn’t already have an SSL certificate you really need to get one. Certain web browsers have already started identifying sites without SSL as “not secure” even if there’s no ecommerce function or data transfer and Google also announced they would lower a site’s search rankings if it didn’t feature SSL again regardless of the site’s function.

So as every good sys admin should do I have deployed SSL certificates for all my sites. Recently I installed a new SSL certificate for my blog but upon testing it afterwards to ensure everything was working properly I was presented with the unsettling error message below indicating Warning: Potential Security Risk Ahead. Clearly something was amiss.

SSL_ERROR_BAD_CERT_DOMAIN

When viewing the advanced details of the error displayed below I saw the error code SSL_ERROR_BAD_CERT_DOMAIN. Naturally I was surprised to see this error because I knew my certificate had just been issued and wasn’t expired or using an old hashing algorithm etc. Upon closer inspection I could see the error was indicating the certificate was only valid for a different domain name which was not the domain of my site. This was a little confusing because I had just installed the new certificate and knew with complete certainty that it was registered in the name of my domain not the domain identified in the error message. The other domain name in question was also hosted on my server so this was a good clue to check site bindings.

Managing IIS Server Certificates

The next step was to double check the installed certificates. Using IIS Manager you can easily find and manage all of the certificates installed on the server. This is handy when you need to quickly identify expiration dates for example but to see how the certificates are assigned you will need to check the individual site bindings.

One other way to see all the SSL certificate bindings is to run the following command:

netsh http show sslcert

1	netsh http show sslcert

This will output advanced details about all of the certificates installed on the server including the hostname:port and certificate store where the certificate is located.

IIS Server Name Indication (SNI)

The server hosting my site uses Windows Server 2012 R2 with IIS 8.5 which has a powerful feature for hosting SSL certificates called Server Name Indication (SNI). SNI allows multiple SSL certificates using different domain names to leverage a single dedicated IP address. Before IIS 8 this could only be accomplished with a wild card certificate. So after reviewing the SSL_ERROR_BAD_CERT_DOMAIN error message I knew the issue had to be related to an incorrect IIS site binding related to SNI config. As you can see in the picture below the SNI feature needs to be enabled by checking the box Require Server Name Indication. My site was sharing the same IP address as another site featuring a different SSL certificate and in my haste to install the new certificate I had not checked the Require Server Name Indication box. Once I did that and saved the settings my site was operational again without the security warning.

In Summary

Starting with IIS 8 scaling SSL certificates has never been easier thanks to Server Name Indication (SNI). The caveat with this increased scalability is that you have to ensure your site https bindings are always set properly by checking the Require Server Name Indication box on the https binding. If not set properly your site visitors will be greeted by the Potential Security Risk warning related to the SSL_ERROR_BAD_CERT_DOMAIN error. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Resolving IIS WMSVC Underlying Connection Was Closed

IIS, Windows Server 2008, Windows Server 2012 Comments Off

Dec 082018

IIS Manager Remote Administration is a handy tool for for a web server administrator when you have multiple servers to manage. This feature will save you the trouble of having to Remote Desktop into each server every time you need to touch IIS. With IIS Manager Remote Administration you can login to one server for example and then configure IIS Manager with connections to other servers that you manage. Or depending on the security of your enterprise you could even configure IIS Manager on your workstation and connect to the other servers from there. This becomes especially helpful if your enterprise has extra layers of security such as two factor authentication to lock down Remote Desktop access.

The underlying connection was closed: An unexpected error occurred on a send

Usually it works great. However, sometimes you may encounter connection problems while attempting to connect to your other severs. I recently experienced one such error as shown below. It was occurring at nearly the final step of the remote management wizard after authenticating with my admin credentials. It indicated that The underlying connection was closed: An unexpected error occurred on a send. I have used IIS Manager Remote Administration for many years and this was the first time I had ever seen this particular error. I went through the usual trouble shooting steps of ensuring port 8172 wasn’t blocked at the local firewall on either end. So then I decided to try reproducing the error on some other servers that I support and sure enough each server had this same issue.

I work for a large corporation that follows the practice of Separation of Duties which simply means that several different departments are involved with installing, configuring, and deploying our Windows servers. In my role as an IIS web server administrator I know that many hands have touched the servers that I manage before the server is ever released to my team.

Checking the Management Service Certificate

Another place I checked was the Management Service itself. From here I could see that the WMSVC certificate was correctly assigned. I was beginning to feel a bit flummoxed at this point. Everything I had checked so far appeared to be configured correctly.

Checking Port 8172 Certificate Binding

At a loss for a clear explanation of why I was getting the error above I decided to check online to see if anyone else had ever experienced it. Searching for the error online I saw a suggestion to check the certificate binding on port 8172 using Netsh. Netsh is a command line utility that allows one to modify or display numerous settings of a server’s network configuration. To check a server’s certificate bindings you just execute the following command.

netsh http show sslcert

1	netsh http show sslcert

Scrolling through the output I arrived at the settings for port 8172 and I could see the Certificate Hash of the certificate being used for this port. Next I went back to IIS Manager to double check the certificates that were installed on the server. In addition to the certificates of several applications hosted on the server I saw the WMSVC certificate. This is the default certificate used to secure the remote management communication between servers. At this point a light bulb went off in my head because I could clearly see the Certificate Hash of the WMSVC certificate was different than the Certificate Hash of the certificate bound to port 8172. In fact the certificate bound to port 8172 wasn’t even installed on the server.

Changing Port 8172 Certificate Binding

My conundrum was over. The next steps were pretty clear. I had to delete the existing certificate binding on port 8172 and then configure port 8172 to use the WMSC certificate. Here is the command to delete the existing binding for a port and IP address:

netsh http delete sslcert ipport=0.0.0.0:8172

1	netsh http delete sslcert ipport=0.0.0.0:8172

Here is the command to bind a new certificate to port 8172. Just replace XX below with the correct thumbrint of your certificate.

netsh http add sslcert ipport=<a href="http://0.0.0.0:8172/">0.0.0.0:8172</a> certhash=XX appid={00000000-0000-0000-0000-000000000000} clientcertnegotiation=enable

1	netsh http add sslcert ipport=<a href="http://0.0.0.0:8172/">0.0.0.0:8172</a> certhash=XX appid={00000000-0000-0000-0000-000000000000} clientcertnegotiation=enable

Back to the Remote Admin Wizard

After deleting the old certificate and configuring the correct one, I returned to the Remote Administration wizard and tried it again.

With the correct certificate configured on port 8172 I was finally able to complete the Remote Administration wizard.

In Summary

IIS Manager Remote Administration is a handy tool for administrators to save time managing IIS without having to always use Remote Desktop to login to another server. If you have issues configuring remote management between servers be sure to double check the certificates that are installed as well as the bindings for port 8172 using Netsh commands. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Securing SmarterMail in 10 Steps

Email Comments Off

Dec 012018

You may not be familiar with SmarterMail from Smatertools.com but it is an enterprise class Windows based mail server. It has a powerful web based management GUI and the company regularly releases version updates containing bug fixes and new features. However, in my opinion one of the most compelling reasons to try SmarterMail is that they offer a full featured version free for one domain.

You may think configuring an enterprise mail server application could be a challenge but fortunately SmarterMail’s administration interface is organized in an intuitive way and the Smartermail Help manual is always available online. In this blog post I will cover a few key features that you want to configure to ensure your installation of SmarterMail is locked down. Some settings will depend on the volume of your mail server so adjust accordingly and double check often.

Change the admin password

If you’ve just installed SmarterMail the next step you will encounter after the install wizard completes is a prompt to set the admin password. Following Best Practices You should be changing it on a regular basis. This can be performed from the Settings menu by clicking on System Administrators as shown below.

However, there may come a time when you are not able to login to SmarterMail to change the admin password. To manually reset it without logging in you just need to edit mailconfig.xml which is usually located in C:\Program Files (x86)\SmarterTools\SmarterMail\Service. As noted within the file, you just need to delete the <sysAdminUserName> and <sysAdminPasswordHash> lines and then restart the SmarterMail service.

Change SMTP Relay and Authentication

On the Settings menu click on Protocol Settings and then click the SMTP In tab. Only authenticated users should be allowed to relay mail. From the Allow Relay pulldown Select Nobody and then on the Require Auth Match pulldown menu select Email Address. Next in the options at the bottom of the list check the box Allow relay for authenticated users. These settings will only allow local accounts that have successfully authenticated to send mail off the server i.e relay and in order to authenticate the users are required to provide the complete email address. SmarterMail wisely recognizes how these settings could be cause issues and have highlighted a warning at the top of the page.

Limit IP Addresses and Ports

On the Settings menu select Bindings and then click on IP Addresses. Ensure other IP addresses on the server are not enabled for mail services.

Then click on each IP address and ensure only the necessary ports are enabled.

For even greater security you should also configure SSL / TLS for your services.

Internal Spammer Notification

This is a setting that ultimately depends on the volume of your mail server. It is located under the Security menu –> Advanced Settings –> Abuse Detection. This feature will send a notification to a designated mailbox when message volume exceeds a preset threshold. The recipient could be the mail admin or a group mailbox. Regardless who receives this notification they needs to be able to leap into action and potentially lock down an account that has been exploited and is sending spam.

Without the Internal Spammer Notification enabled you will have to rely on the System Summary – Message Traffic Report to quickly identify which domain on your mail server is sending spam. Change the date filter to today and depending on the usual message volume on your server it should be obvious which domain is sending the spam. Next click on the domain in question and then you’ll see which mailboxes within that domain have the highest message count. That is the mailbox that has been exploited. You will need to temporarily reset the password of the mailbox in question to stop the spam from being sent.

Continuing with this example after resetting the password of the mailbox sending out the spam you’ll want to use a program such as GrepWin to purge the messages from the SmarterMail spool. If you don’t immediately delete that mail from the spool, SmarterMail continue to attempt to send it out which will most likely result in your mail sever being quickly being blacklisted.

Enable Greylisting

Greylisting is a great tool to leverage against spammers. It deliberately slows mail service by a preset amount of time using SMTP 4XX reply codes which tell the sender’s mail server to queue the message and try again shortly. Legitimate SMTP servers sending mail will be whitelisted for a lengthy period of time and then will be able to deliver mail as usual without repeat delays. SMTP servers used by Spammers that are not configured for 4XX queue timeouts will not reattempt to resend their junk mail there by preventing it from getting delivered. And even if spammers do configure their servers accommodate greylisting they will still most likely get blocked by Real-Time Blackhole Lists (RBL).

Configure Real-Time Blackhole Lists (RBL)

The Antispam Administration settings for SmarterMail are comprehensive. Many of these settings will need to tested and evaluated over time. The security settings are easy to reach from the navigation menu. The Spam Checks tab controls weighted numeric scores that are assigned to the incoming mail as it gets processed. The higher the numeric score the greater the likelihood that the message is spam. RBL servers are 3rd party resources that maintain extensive lists of mail server IP addresses where the servers in question have been identified as sending spam. RBL server checks should have a high weighted score so any IP address that is matched to an address already on an RBL is immediately blocked.

Configure Spam Filtering Thresholds

On Filtering tab of the Antispam Administration page you will adjust the Weight Threshold actions. So in the example below a message with a total score of 5 is considered normal mail and will delivered into a users inbox. A message with score of 12-17 is probably spam but the user can still review it in their inbox’s Junk E-Mail folder. Anything over 17 should be deleted and not delivered to the users. These values are globally set for all mailboxes by default. However, you can allow users to change the weight thresholds for their own mail in their domain’s settings. The other tabs on the Antispam Administration page are straight forward to configure.

SMTP Authentication Bypass

The SMTP Authentication Bypass settings should be used with caution and reviewed frequently. Adding an IP address to this list as the name implies will allow mail being sent from that IP to skip the authentication procedures configured above. One might do this for an internal web server so that sites hosted on that server can conveniently send mail outside the network. However, it can quickly lead to trouble because if any of the web sites happen to have poor design security a simple contact form could be leveraged for spamming. In this situation because the IP address the of web server hosting the site is present on this page the bypass rule will let the spam flow out unimpeded. This simple oversight could quickly cause your mail server to be blacklisted before anyone even realizes it.

Abuse Detection

As mentioned above the Abuse Detection settings are under the Security menu and then click on Advanced Settings. These are all threshold settings that will notify a system administrator when the specific metric has been exceeded. The settings will need to be modified based on the volume of your mail server.

Password Complexity

The SmarterMail mailbox Password Requirement rules are globally applied to all mailboxes on the server. Best Practices dictate that you should require all users to have complex passwords using mixed case and at least numbers if not special characters too. As with many of the other settings these will need to be adjusted according to the number of mailboxes you have on your server. I have supported large enterprise deployments of SmarterMail with 4000+ mailboxes. If you are only managing a fraction of that size you may be able to have less stringent requirements. However, it’s always better to be more cautious than less cautious.

A handy complement to the Password Complexity requirements is the Password Policy Compliance report that can be accessed on the Manage menu. It identifies all the mailboxes on the server that do not meet the configured required settings. It is a helpful report that quickly shows which mailboxes need to be corrected.

In Summary

SmarterMail by Smatertools.com is an enterprise Windows mail server with a powerful administration interface. I have highlighted 10 areas that should be configured to ensure your SmarterMail server is locked down and secured minimizing the chances of mailboxes being exploited by spammers. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

MX Guarddog – Unparalleled Free Spam Filtering

Email Comments Off

Nov 112018

According to the IBM Threat Intelligence Index Spam email volume continues to rise every year as does the threat from sophisticated phishing emails or seemingly innocuous messages with malicious attachments. You may never have heard of MX Guarddog but they have been providing “best in class” email security solutions since 2006. In my opinion the most compelling reason to use their service is that they offer free spam filter in exchange for a backlink otherwise their rate is a paltry $0.25 per mailbox.

Configuring MX Guarddog Email Security

Another compelling reason to use MX Guarddog is that their filtering service is so simple to implement. After setting up your free account and configuring your settings all you need to do is change your domain name’s MX records to point to their mail servers. Once your mail goes through their filtering service it will be delivered as usual to your mail server and with minimal delay. When you login to your account you’ll arrive at the Domain Center as shown below. From this dashboard you will maintain all of your account settings. If you have configured multiple domains within your account just click on change focus to access those other domains. The navigation and menus will be identical regardless of how many domains you have configured.

Configuring your mailboxes

Clicking on the Emailing Addresses section of the Domain Center will enable you will to configure your individual mailboxes per domain. In addition to adding mailboxes you can configure a mailbox alias your a catch-all however following email best practices you should never configure a catch-all account. Of course there are certain cases when a catch-all could be used but in general it will usually just significantly increase the the amount of spam you receive.

Configuring your destination mail server

From the Domain Center dashboard click on Your Email Servers to configure your mail server MX records. This is the mail server that is currently hosting your mailboxes. If you’re not sure of the mail server MX records then check with your service provider or use a free tool such as mxtoolbox.com to look up your MX records. For my personal mail I use Zoho.com which is a free mail service provider that provides 5 GB of space and allows you to use a domain name at no additional cost.

As you can see in the picture above there is a tool available to send a test sending a message to your mailbox using the MX records you entered. This tool will help ensure everything is configured correctly. If the test is unsuccessful a notification will be displayed.

Configuring MX Guarddog mail servers

From the Domain Center dashboard click on MX Guarddog servers to see the new MX records that you need to configure with your domain registrar. Using your domain registrar’s DNS control panel you will replace your existing MX records with the new MX records provided by MX Guarddog. Once you complete this change, your MX Guarddog configuration will be complete. As you can see in the picture below, your domain’s new MX records will be clearly displayed.

Spam Filtering Aggression

If you click on Aggression, from the Domain Center dashboard, you will see the options below to modify how aggressively MX Guarddog filters your mail. There is no right for wrong threshold here. Only time will tell how one should set these values. Setting a lower value to start and increasing accordingly would be the safest bet. Ultimately you want the most filtering with the least amount of false-positives. There are additional settings on this page that you can tweak such as country blacklisting and blocking sender=recipient messages which is a common type of spam where the messages appear to have been sent by the recipient which usually isn’t true.

Country Blacklisting

MX Guarddog’s blacklisting functionality is robust. As one can see in the picture below, there are several levels of blacklisting available. Country blacklisting is a great feature to leverage when you know with 100% certainty that you will never need to receive mail from certain countries. Simply check the box on the menu to block mail from that country and then uncheck the box in the future if your needs happen to change.

MX Guarddog Quarantine

After setting up your account and configuring your settings the next logical question is what happens to the mail that gets filtered. Naturally filtered mail gets quarantined. From the Domain Center dashboard you can configure how you want to be notified of quarantined mail. You have the option of receiving a daily quarantine message from MX Guarddog or not receiving any notification at all. From within the Quarantine message that you receive in your inbox, you will have the option to release any quarantined messages into your inbox, whitelisting the sender to prevent future quarantine, or ignoring the messages. Quarantined messages are purged on a periodic basis. Fortunately depending on your aggression settings and blacklisting settings your quarantine notifications may only contain a few messages each day. MX Guarddog does a great job of eliminating blatant spam without even quarantining it. However, this too is an option that can be configured unless of course you want to see everything that is filtered in which case you can review these messages one by one.

In Summary

Email spam and phishing scams are increasing year after year. Having enterprise email security filtering available for just pennies per mailbox or even free is a compelling reason to consider MX Guarddog’s service. I have worked with many mail filtering solutions including Symantec Cloud, Vircom, Positini, SmarterMail, and even Barracuda but nothing compares to the features offered by MX Guarddog at their price point. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Using Asp.Net to Process NDR Emails

ASP.NET, Email Comments Off

Dec 172017

If you’ve ever managed a mailing list or sent out an announcement to a distribution group then you have inevitably experienced non-delivery report (NDR) floods. These messages indicate delivery problems for your some of your recipients. In most cases the delivery issues are straight forward such as the mailbox no longer being valid. Investing time to track down an end user’s new email address is time consuming and unrealistic if you have thousands of addresses on your list. So the simple solution is to remove them. Again if you have a large list then removing them manually will be a considerable time investment so why not leverage some Asp.net and automate it.

Process NDR messages with ListNanny

In a previous blog post I showed how you can remove spam messages using the Asp.net components aspNetPOP3 and aspNetMime by advancedintellect.com. It turns out they also have a fantastic component for processing NDR messages called ListNanny. So in the example below I have quite a few delivery failures that need processing.

When using ListNanny the first step of your program should be importing the latest NDR definition file provided by AdvancedIntellect.

string defPath= "c:\\ndr.def.xml"; 
NDR.ImportDefinitionFile( defPath );

1 2	string defPath= "c:\\ndr.def.xml"; NDR.ImportDefinitionFile( defPath );

Next you’ll connect to the mailbox containing the NDR messages, iterate through them, identify the bounced email address and then delete the bounced message. In my example below I have have a separate function to remove the bounced address from my list but I won’t cover that.

    POP3 pop = new POP3(mailserver, userid, password);
    pop.Connect();
    int messageCount = pop.MessageCount();
       
        for (int i = 0; i < messageCount; i++)
        {
            string messageText = pop.GetMessageAsText(i);
            NDR ndrMessage = NDR.Parse(messageText);
            ndrEmail = ndrMessage.BouncedEmailAddress;

            RemoveNDREmail(ndrEmail);
            pop.Delete(i);
        }

        pop.CommitDeletes();
        pop.Disconnect();

POP3 pop = new POP3(mailserver, userid, password);

pop.Connect();

int messageCount = pop.MessageCount();

for (int i = 0; i < messageCount; i++)

{

string messageText = pop.GetMessageAsText(i);

NDR ndrMessage = NDR.Parse(messageText);

ndrEmail = ndrMessage.BouncedEmailAddress;

RemoveNDREmail(ndrEmail);

pop.Delete(i);

}

pop.CommitDeletes();

pop.Disconnect();

Depending on how you send out your announcements you may receive a non-delivery report that references multiple bounced email address. If that is the case you can use the example below to process the NDR and identify each individual recipient from the group that needs to be removed.

NDR ndrMessage = NDR.Parse(messageText);
ndrEmail = ndrMessage.BouncedEmailAddress;       
DSN dsn = ndrMessage.FindDSN();

         if (dsn != null)
         {
             foreach (object recip in dsn.RecipientCollection)
             {
                 DSNRecipient dr = (DSNRecipient)recip;
                 if (dr.FinalRecipient != null)
                 {
                    ndrEmail = dr.FinalRecipient.Value;
                 }
             }
         }

NDR ndrMessage = NDR.Parse(messageText);

ndrEmail = ndrMessage.BouncedEmailAddress;

DSN dsn = ndrMessage.FindDSN();

if (dsn != null)

{

foreach (object recip in dsn.RecipientCollection)

{

DSNRecipient dr = (DSNRecipient)recip;

if (dr.FinalRecipient != null)

{

ndrEmail = dr.FinalRecipient.Value;

}

In Summary

Managing non-delivery report (NDR) emails can be a challenge when you need to prune stale emails from your mailinglist. Fortunately the folks at advancedintellect.com have a great asp.net component called ListNanny which can help automate processing your NDR messages and minimize future bounce emails. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Using Asp.net to Remove Spam And Keep Good Mail

ASP.NET, Email Comments Off

Nov 142017

Recently I was cleaning up a personal mailbox I’ve kept over the years for use when a 3rd party asks for an email address and I don’t want to provide my primary one. In these situations I prefer to give an address that I don’t frequently use because I know eventually I’ll start getting targeted unsolicited mail i.e spam from them. Ordinarily when cleaning out these mailboxes I would just purge it all however on this particular occasion I needed to keep some of the legitimate mail that was mixed in with the spam. I decided to do what any good programmer would do so I fired up some C# to surgically remove the spam.

Read Email Using POP3 With ASP.NET

When I initially checked my mailbox online I could see 3,900 unread messages waiting for me but it was obvious much of this was just marketing nonsense about 4K TVs, insurance quotes, limited time offers, and everything else you can imagine.

POP3 and IMAP are protocols used by mail clients to login to mailboxes and manage the messages contained in the mailbox. To perform this programmatically using Asp.net I decided to leverage aspNetPOP3 and aspNetMime by Dave Wanta at www.advancedintellect.com. These components make it easy to login to a mailbox with just a few lines code. At first I’m just going to download the message subjects into an array to identify the most repeat offenders. After sorting the array with the subjects I write it to a file.

POP3 pop = new POP3("server", "username", "pw");
            pop.Connect();
            int messageCount = pop.MessageCount();

            var subjects = new string[messageCount];

            for (int i = 0; i &lt; messageCount; i++)
            {
                try
                {
                    aspNetMime.MimeMessage msg = pop.GetMessage(i);
                    subjects[i] = msg.Subject.Value;
                }
                catch
                { }
            }
               

            var subjCounts = subjects.GroupBy(z =&gt; z);
            foreach (var group in subjCounts)
                activityLog(group.Key+ " -&gt; "+ group.Count());

            pop.Disconnect();

POP3 pop = new POP3("server", "username", "pw");

pop.Connect();

int messageCount = pop.MessageCount();

var subjects = new string[messageCount];

for (int i = 0; i < messageCount; i++)

{

try

{

aspNetMime.MimeMessage msg = pop.GetMessage(i);

subjects[i] = msg.Subject.Value;

}

catch

{ }

}

var subjCounts = subjects.GroupBy(z => z);

foreach (var group in subjCounts)

activityLog(group.Key+ " -> "+ group.Count());

pop.Disconnect();

Looking through the file it’s easy to see how much junk there is in the mailbox. Here is just a sample:

I will manually edit the file so that it only contains the message subjects that I want to delete. In the next part of the program I log back into the mailbox and loop through each message again and compare message subject to the subjects contained in the blacklist file. If it matches then the message is marked for deletion. After the program loops through all the messages the last command is to commit the deletes. Afterwards I will log back into the mailbox online and see how the inbox looks. If it feels like there’s still too much spam then I’ll go run the program again using a new batch of subjects.

  string[] subjectsArr = File.ReadAllLines(Directory.GetCurrentDirectory() + @"\subjects.txt");

            POP3 pop = new POP3("server", "username", "pw");
            pop.Connect();
            int messageCount = pop.MessageCount();

            for (int i = 0; i < messageCount; i++)
            {
                aspNetMime.MimeMessage msg = pop.GetMessage(i);
                foreach (string spamKeyword in subjectsArr)
                    if (msg.Subject.Value.Contains(spamKeyword))
                    { 
                        pop.Delete(i);
                        break;
                    }
            }
      
            pop.CommitDeletes();
            pop.Disconnect();

string[] subjectsArr = File.ReadAllLines(Directory.GetCurrentDirectory() + @"\subjects.txt");

POP3 pop = new POP3("server", "username", "pw");

pop.Connect();

int messageCount = pop.MessageCount();

for (int i = 0; i < messageCount; i++)

{

aspNetMime.MimeMessage msg = pop.GetMessage(i);

foreach (string spamKeyword in subjectsArr)

if (msg.Subject.Value.Contains(spamKeyword))

{

pop.Delete(i);

break;

}

pop.CommitDeletes();

pop.Disconnect();

In Summary

Sometimes it’s necessary to manually clean up the spam from a mailbox rather just purging everything. Using aspNetPOP3 and aspNetMime from www.advancedintellect.com it’s easy to create an asp.net program to identify and delete only the spam messages from your mailbox while keeping the good mail. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Securing SmarterMail with SSL / TLS

Email Comments Off

Jul 152017

SmarterMail from Smatertools.com is a fantastic enterprise class Windows based mail server. One of the most compelling reasons to try Smatermail is that they offer a full featured version free for one domain. Leveraging SSL/TLS protocols with SmarterMail allows mail communication to be encrypted increasing privacy and security.

Export SSL Certificate to PFX File

Before making changes to Smartermail you will need to export the SSL certificate you intend to use to a PFX file that is password protected and contains the private key of the certificate. Smartertools recommends copying the file to C:\smartertools\certificates.

Open Microsoft Management Console (MMC)
Select Add new Snap-In and then select Certificates
Expand the Personal certificate store and then select the certificate you want to export
Right click on the certificate and select Export
Select PKCS #12 (PFX) and click Next to save the file

Configure SmarterMail SSL/TLS Ports

After logging into SmarterMail using an administrator account, go to the Settings menu and then click on Bindings and then Ports. From this page you will see the currently configured Ports SmarterMail is using and whether or not they are using SSL and TLS.

From the Ports men select New to add each additional port you intend to configure with SSL. In the example below I’m configuring SSL to be used with the SMTP Protocol on Port 465. Enter the certificate path to the PFX file that was exported in the previous steps. After entering the password click the Verify Certificate button to validate the path and certificate password are correct. When the certificate verification has successfully completed a notification will be displayed across the pop-up window. Click Save and the repeat the steps for any additional ports you intend to configure with SSL.

Configure SSL/TLS IP Address Bindings

Again from the SmarterMail Settings menu click on Bindings and then IP Addresses. From the list of configured IP Addresses select the one that is used by the mail server services and then click Edit. Select the new SSL/TLS ports that you added in the previous step that will be used and then click Save.

Open Firewall Ports for SSL/TLS

Be sure to open the new ports on your firewall appliance. In the example below I’m opening the additional SMTP ports using the local Windows Firewall on my server. The following ports can used for SSL/TLS.

25 (TLS), 110 (TLS), 143 (TLS)
465 (SSL), 993 (SSL), 995 (SSL)

Configure Mail Client for SSL/TLS

Once you have confirmed the new ports have been added to SmarterMail and the Firewall Ports are open you just need to configure your mail client to use the new settings.

The Incoming Server (POP3) settings should use port 995.

The Outgoing Server (SMTP) settings should use port 465.

In Summary

SmarterMail is an enterprise class mail server that allows securing your mail communication using SSL/TLS for greater privacy and security. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Filtering IP Ranges From SmarterStats Reports

Analytics Comments Off

Dec 162016

Recently while looking through my site’s traffic report from the past few months I noticed an unusual spike. I use SmarterStats by SmarterTools which is a web based enterprise analytics tool and is free for one domain. After looking through a few other reports I came to realize that the spike I was seeing was caused by my site monitoring tool UptimeRobot. I didn’t want that activity to skew my stats so I decided to remove their IP address from the reports.

Using Logparser to find IP addresses by userAgent

UptimeRobot’s monitoring services use a range of IP addresses so I decided to use Log Parser to double check my logs to see which IPs of theirs where showing up. Here’s the query I used.

logparser  -i:iisw3c "SELECT c-ip, count(*) as [count] INTO ip.txt 
FROM C:\wwwlogs\W3SVC1\*.log where index_of(cs(user-agent),'uptimerobot') &gt;1 
GROUP BY c-ip ORDER BY count(*)"

logparser -i:iisw3c "SELECT c-ip, count(*) as [count] INTO ip.txt

FROM C:\wwwlogs\W3SVC1\*.log where index_of(cs(user-agent),'uptimerobot') >1

GROUP BY c-ip ORDER BY count(*)"

Add a Log Processing Rule

Log Parser quickly identified the IPs I wanted to exclude. Fortunately SmarterStats makes it easy to exclude a variety of data from your reports. After logging into your Stats report click on Settings and then Log Processing Rules.

Click Add from the menu and select Log Processing Rule. The Import Filter window will open and you can configure what you need to exclude or include.

To exclude the UptimeRobot IP addresses I enter the ranges 69.162.124.226 – 69.162.124.237 and 63.143.42.242 – 63.143.42.253. Their service uses a variety of IP addresses depending on where you are in the world. You can read more about that here.

Reprocessing Logs

After you have added the metrics that you want to filter from your logs you should clikc the Reprocess button. Depending on how many months or years of data you have in your logs it will take anywhere from a few minutes to a few hours. You will be able to monitor the import process from your report dashboard.

In Summary

SmarterStats by SmarterTools is a comprehensive web analytics tool. Periodically you may need to exclude data from your stats reports such activity from site monitoring services like UptimeRobot. Thanks for reading!

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Using aspnet_regiis.exe to Encrypt Connection Strings

ASP.NET, IIS, Windows Server 2008, Windows Server 2012 Comments Off

Feb 062016

When it comes to securing IIS web applications on Windows Server 20008 R2 or Windows Server 2012 R2 one typically thinks of firewalls, access control lists (ACL), and using an application pool identity. These security measures will protect a site from external threats . However, .Net configuration files which typically store username and password data are text files so anyone with admin access to the server can read their contents. The only way to prevent prying eyes from seeing app.config or web.config passwords is to encrypt them. Fortunately encrypting the connectionStrings section of a config file is straight foward. You can also encrypt other configuration sections in addition to connectionStrings section. Encrypting and decrypting config files can be performed programatically using .NET Framework methods or by using the ASP.NET IIS Registration tool (aspnet_regiis.exe). With the encryption commands you can target either the path to the config file or reference an IIS application name. In my examples I will be encrypting and decrypting the connectionStrings section with the .NET Framework 4.

Encrypting Configuration Sections

You will find aspnet_regiis.exe in the C:\Windows\Microsoft.NET\Framework\version\ folder. With the .NET Framework you can use the builtin protected configuration providers RSAProtectedConfigurationProvider or DPAPIProtectedConfigurationProvider to encrypt and decrypt sections of your config files. You can also create your own provider. The general synatax to encrypt a config section is as follows:

<strong>aspnet_regiis.exe -pef section physical_directory -prov provider<br>or<br>aspnet_regiis.exe -pe section -app virtual_directory -prov provider</strong>

1	<strong>aspnet_regiis.exe -pef section physical_directory -prov provider<br>or<br>aspnet_regiis.exe -pe section -app virtual_directory -prov provider</strong>

It is important to note when using aspnet_regiis.exe to encrypt or decrypt config files and you specify a physical path (rather than a web app name) the command is hardcoded for a file named “web.config”. If you are trying to run the command against an app.config you will first need to rename that file to web.config before running the command. Rename it back afterwards before using it. For this reason I find it easier to create a .bat file hardcoded with the necessary command syntax to encrypt my configs and then a 2nd .bat file to decrypt my configs.

On my Windows 2012 R2 server I have setup an IIS 8.5 site called domain1.com. For the example below I am using the builtin DPAPI provider to encrypt a web.config in c:\domains\domain1.com. The encrypted web.config is shown below.

<strong>aspnet_regiis.exe -pef "connectionStrings" "c:\domains\domain1.com" <br>-prov "DataProtectionConfigurationProvider"</strong>

1	<strong>aspnet_regiis.exe -pef "connectionStrings" "c:\domains\domain1.com" <br>-prov "DataProtectionConfigurationProvider"</strong>

Decrypting Configuration Sections

Following steps above we have now encrypted the connectionStrings section of the web.config for domain1.com. Naturally We also need to be able to decrypt it. When decrypting a config section you do not need to specify the protected configuration provider. Just like when encrypting a config file we can target either a file path or IIS web application name. Here is the syntax to decrypt a configuration file section:

<strong>aspnet_regiis.exe –pdf section physical_directory <br>or<br>aspnet_regiis.exe –pd section -app virtual_directory</strong>

1	<strong>aspnet_regiis.exe –pdf section physical_directory <br>or<br>aspnet_regiis.exe –pd section -app virtual_directory</strong>

In my example below I decrypt the connectionStrings section of my web.config in c:\domains\domain1.com. As a reminder again when using the –pdf option we do not need to specify “web.config” in the syntax.

<strong>aspnet_regiis.exe –pdf "connectionStrings" "c:\domains\domain1.com" </strong>

1	<strong>aspnet_regiis.exe –pdf "connectionStrings" "c:\domains\domain1.com" </strong>

After running the above command, the connectionStrings section of the web.config is decrypted as shown below. Once I am done editing my connection string I will follow best practices and encrypt the connectionStrings section again.

Failed to decrypt using provider error

It is important to note that when encrypting your config files the encryption key is stored locally on the server which means if you need to move your encrypted config file to another server you will need to either decrypt the config file first before moving it to the new server or export the key prior to moving and install it on the new server. If you move an encrypted config file to a server without exporting the encryption key you will receive an error like below indicating: Failed to decrypt using provider … Key not valid for use in specified state.

Creating an RSA Key Container

Fortunately moving encryption keys between servers is straight forward. We can create our own RSA key container, export it to a file, and then move it from server to server as needed. This is ideal for multi node web farm solutions where applications are deployed across multiple servers. Use the following syntax to create an RSA key container. Be sure to include the –exp option so the container can be exported:

<strong>aspnet_regiis -pc "MyFarmKey" –exp</strong>

1	<strong>aspnet_regiis -pc "MyFarmKey" –exp</strong>

Adding the configProtectedData section to your config

Next you will add the following configProtectedData section to your web.config.

&lt;configProtectedData&gt;\r\n   &lt;providers&gt;\r\n      &lt;add name="MyFarmCrypto" \r\n           type="System.Configuration.RsaProtectedConfigurationProvider, <br>System.Configuration, Version=4.0.0.0,\r\n                 Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\r\n                 processorArchitecture=MSIL"\r\n           keyContainerName="MyFarmKey" \r\n           useMachineContainer="true" /&gt;\r\n   &lt;/providers&gt;\r\n&lt;/configProtectedData&gt;

<configProtectedData>\r\n <providers>\r\n <add name="MyFarmCrypto" \r\n type="System.Configuration.RsaProtectedConfigurationProvider, <br>System.Configuration, Version=4.0.0.0,\r\n Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a\r\n processorArchitecture=MSIL"\r\n keyContainerName="MyFarmKey" \r\n useMachineContainer="true" />\r\n </providers>\r\n</configProtectedData>

Below is how my web.config looks now that I have added the configProtectedData section.

\r\n

Assigning permissions to the RSA key container

\r\n

Before the new RSA key container is ready to be used by my site domain1.com, I need to assign the application pool identity permission to access it. On the server in my example the application pool identity for domain1.com is ApplicationPoolIdentity. I use the following syntax to assign this user to the new RSA key container:

\r\n

<strong>aspnet_regiis -pa "MyFarmKey" "iis apppool\domain1.com"</strong>

1	<strong>aspnet_regiis -pa "MyFarmKey" "iis apppool\domain1.com"</strong>

\r\n

Encrypting a config with an RSA key container

After adding the configProtectedData section to the web.config and granting permission to the RSA key container for domain1.com’s application pool identity, I’ll run the encryption command again using the new “MyFarmCrypto” RSA key container:

<strong>aspnet_regiis.exe -pef "connectionStrings" "c:\domains\domain1.com"<br> -prov "MyFarmCrypto"</strong>

1	<strong>aspnet_regiis.exe -pef "connectionStrings" "c:\domains\domain1.com"<br> -prov "MyFarmCrypto"</strong>

In the image above we see the encryption succeeded. Note in the command syntax above we are specifying the configProtectionProvider name MyFarmCrypto and not the RSA key container name. If you mix that up you’ll get an error. We can see below how domain1.com’s web.config now looks after being encrypted with the new RSA key container.

\r\n

Exporting and Importing an RSA Key Container

\r\n

Now that we’ve successfully created and tested our new RSA key Container we need to export it to a file. Once it’s saved in a file we can then copy it to other servers for installation as needed. It is important to remember to use –pri option to include the private key when the export file is created otherwise you will not be able to decrypt information on the next server .

\r\n

<strong>aspnet_regiis -px "MyFarmKey" "c:\MyFarmKey.xml" –pri</strong>

1	<strong>aspnet_regiis -px "MyFarmKey" "c:\MyFarmKey.xml" –pri</strong>

\r\n

\r\n\r\n

Having logged into another server and copied the MyFarmKey.xml file to c:\temp I will import the key fil using the following command:

\r\n

<strong>aspnet_regiis -pi "MyFarmKey" "c:\temp\MyFarmKey.xml"</strong>

1	<strong>aspnet_regiis -pi "MyFarmKey" "c:\temp\MyFarmKey.xml"</strong>

\r\n

\r\n\r\n

For security purposes, after importing the key on a new server, delete the key .xml file from the server to ensure someone unauthorized doesn’t use it decrypt data. This of course assumes that you have backed up the file off server somewhere safe.

\r\n

To permanently delete the RSA key container from a server you should run this command:

\r\n

<strong>aspnet_regiis -pz "MyFarmKey"</strong>

1	<strong>aspnet_regiis -pz "MyFarmKey"</strong>

\r\n

Summary

\r\n

The .NET Framework offers powerful encryption tools to secure sensitive information like usernames and passwords in application connection strings. When encrypting a config file on a server the private key used to decrypt the information is local to the server. Creating an RSA key container will enable you to encrypt information with the same private key across multiple servers. Thanks for reading.

Peter Viola

Creative, customer focused, results oriented, Senior Web Systems Engineer who enjoys providing the highest level of customer service supporting complex Windows hosting solutions. MCITP, MCSA, MCTS

More Posts - Website

Older Entries