For anyone looking for a good rfc: http://www.faqs.org/rfcs/
I have found being able to look up rfc1893 to be very helpful, and have it bookmarked for quick access. (p.s. they have all the April 1 rfc's on there too....) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webb, Andy Sent: Tuesday, December 23, 2003 4:08 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Answering myself here... This is one of those big reasons why I believe that everyone should be familiar with the SMTP RFCs (2821 and 2822). You have to know what you're looking at to understand how to diagnose issues that come up. If you're not willing to learn how to read the dipstick, you better be willing to pay a mechanic to check the oil for you every so often. This isn't meant to be a slam on Mr. Hansen, rather a handy example to all the readers of the value of some basic knowledge of how the things you are responsible for function. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Webb, Andy Sent: Tuesday, December 23, 2003 3:05 PM To: Exchange Discussions Subject: RE: SMTP Logging options? No, just advertising that AUTH LOGIN is available isn't the bad thing. There was not an authentication done in that transaction. That message was accepted, as messages from "postmaster" ought to be. What would be bad is if your server then tried to make an outbound connection to chaudhry.co.uk (assuming that's not one of your internal domains). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 2:47 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Ok I think I found a problem. The 250 auth in the middle 12/23/2003 12:42:33 PM : A connection to 81.21.68.106 was established. 12/23/2003 12:42:59 PM : <<< 220 www.redmode.com ESMTP 12/23/2003 12:42:59 PM : >>> EHLO postoffice02.aruplab.com 12/23/2003 12:42:59 PM : <<< 250-www.redmode.com 250-AUTH LOGIN PLAIN 250-AUTH=LOGIN PLAIN <----- ***ISNT THIS BAD??*** 250-PIPELINING 250 8BITMIME 12/23/2003 12:42:59 PM : >>> MAIL FROM:<> 12/23/2003 12:43:00 PM : <<< 250 ok 12/23/2003 12:43:00 PM : >>> RCPT TO:<[EMAIL PROTECTED]> 12/23/2003 12:43:00 PM : <<< 250 ok 12/23/2003 12:43:00 PM : >>> DATA 12/23/2003 12:43:00 PM : <<< 354 go ahead 12/23/2003 12:43:00 PM : <<< 250 ok 1072209192 qp 43075 12/23/2003 12:43:00 PM : >>> QUIT 12/23/2003 12:43:00 PM : <<< 221 www.redmode.com no username, no password, no admin. Isnt that a bad thing? E- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:13 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Paying attention to differences between GMT time and local time, yes the times should coincide. If you haven't had the logging enabled, there won't be anything to look at in the past, it will be in the future. The way the conversation looks is this: Sending MTA ----------------------------- Receiving MTA <connect> -------> <-------- <banner> EHELO <me> ------> <-------- 250 OK <set of supported verbs> AUTH LOGON -------> <-------- VXNlcm5hbWU= YWRtaW5pc3RyYXRvcg== -------> <-------- UGFzc3dvcmQ= Zm9v --------> <-------- 250 OK MAIL FROM:<addr> -------> <-------- 250 OK RCPT TO:<addr> ---------> The base64 bits decode as follows: VXNlcm5hbWU= Username YWRtaW5pc3RyYXRvcg== administrator UGFzc3dvcmQ= Password Zm9v foo -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 12:41 PM To: Exchange Discussions Subject: RE: SMTP Logging options? Ouch However the time stamps should coincide yes? And if its one or a few users that have been compd the garbage is fairly regular intervals, I would think it would show up. What about this base64 thing? I cant seem to find this encoded base 64 auth string to plug into that website. -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:33 AM To: Exchange Discussions Subject: RE: SMTP Logging options? Tracking logs are different. They're not really human readable and they don't let you know the auth information. If you have Logon Success auditing turned on, you should get events in the security event logs, but they're not limited to SMTP or indicated as SMTP, so they're tougher to diagnose than using the protocol logs as previously described. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:48 AM To: Exchange Discussions Subject: RE: SMTP Logging options? Well I'm totally lost I think. I found a tacking.log folder in root of exchsrvr. So for example in my ims ques ( which is relay secure) I have a ndr of spam, for destination in-f01.net and in the tracking log I see.. c=us;a= ;p=arup;l=POSTOFFICE020312221600190859 1018 2003.12.23 14:50:24 /o=ARUP/ou=ARUP01/cn=Configuration/cn=Connections/cn=Internet Mail Connector (POSTOFFICE02) /o=ARUP/ou=ARUP01/cn=Configuration/cn=Servers/cn=POSTOFFICE02/cn=Microso ft Private MDB <[EMAIL PROTECTED]> 0 8612 0 0 1 [EMAIL PROTECTED] Knowing that my system is relay secure I am leaning towards a compromised password. So I check the 2010 events but they don't correspond with the times that the spam is getting dumped on the server. I'm not sure how I can get the auth username that was used to submit these messages in the first place. Lost e- -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 10:36 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record, :), SMTP Protocol Logging doesn't write to the App Event Log, rather it writes to file system files. Knowing how to read SMTP conversations in the protocol log is a "good thing". -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 11:32 AM To: Exchange Discussions Subject: RE: SMTP Logging options? For the record those are event 2010 -----Original Message----- From: Webb, Andy [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:12 AM To: Exchange Discussions Subject: RE: SMTP Logging options? IMS Diagnostics Logging / SMTP Protocol Logging / Medium You'll need to look for the AUTH handshake. The handshake is done using base64 encoded strings. You can use http://www.securecode.net/Base64Convert+main.html to decode them. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 23, 2003 9:18 AM To: Exchange Discussions Subject: SMTP Logging options? Exch 5.5 sp4 In a scenario where a end users password has been compromised and is being used to drop spam crap on the internet mail service, what logging options can be used to identify the account that is authenticating? Also is there a way to tie a message id to a specific authenticated user? Much thanks & merry christmas e- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&; lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
