I'm more confused now. I'm looking through my logs and about half of them, if not a majority are like this:
20080124 051001 127.0.0.1 SMTPD (63f901ce000049ab) [199.176.228.5] connect 199.176.228.5 port 1387 20080124 051001 127.0.0.1 SMTPD (63f901ce000049ab) [199.176.228.5] EHLO 199.176.228.5 20080124 051001 127.0.0.1 SMTPD (63f901ce000049ab) Authenticated <OMITED>@mail.ncats.net, session treated as local. This shows the client and the server as the same IP... however the other half are like this: 20080124 075322 127.0.0.1 SMTPD (8a4101fc00005aee) [199.176.228.5] connect 70.237.120.246 port 1237 20080124 075322 127.0.0.1 SMTPD (8a4101fc00005aee) [70.237.120.246] EHLO tire3 20080124 075322 127.0.0.1 SMTPD (8a4101fc00005aee) Authenticated <OMITED>@mail.ncats.net, session treated as local. Showing the client IP as I would expect. Why would half my log not be displaying the correct client IPs. I have verified that these are indeed clients using normal mail clients like outlook express to send mail to our smtp server, but so many of them are not displaying the correct client address. Any ideas? I don't suppose this could be a bug, could it? Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Will Sent: Thursday, January 24, 2008 2:33 PM To: [email protected] Subject: RE: [IMail Forum] Tracking Messages This is very strange. A few days ago our server was caught sending out scam emails. I narrowed it down to about 40 sessions that day that all started out with: 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) Authenticated [EMAIL PROTECTED], session treated as local. 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] MAIL FROM:[EMAIL PROTECTED] The sending address seemed to rotate between about ten different addresses, the above mail from being one of them. According to this log it was initiated on the server itself. My first thought is that I'm compromised. However, if I was why would the connection bother authenticating? My server would not need to authenticate via SMTP. I've checked my server over and I can't find anything out of the ordinary. My virus scanner is running fine and overall the server is very clean. The only application it is responsible for is Imail so I don't have too many processes to sift through. I changed the password for kyakg, which all of the sessions used to authenticate. Since then I haven't seen any more spam. I haven't even seen an entry in the logs for kyakg trying to authenticate. Confused... Any recommendations on how to figure out what this means? Will -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rod Dorman Sent: Thursday, January 24, 2008 12:13 PM Cc: [email protected] Subject: Re: [IMail Forum] Tracking Messages On Thursday, January 24, 2008, 09:06:09, Will wrote: > Any idea where one would find the connecting IP for SMTPD in the logs? > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] connect 199.176.228.5 port 2901 Some client at IP address 199.176.228.5 connected to your e-mail server at 199.176.228.5 Note that both client and server are on the same machine. > 20080122 142621 127.0.0.1 SMTPD (435d01f0000014d0) [199.176.228.5] EHLO 199.176.228.5 The client sent a broken EHLO command, the RFC's require an address literal to be enclosed by brackets. -- [EMAIL PROTECTED] "The avalanche has already started, it is too Rod Dorman late for the pebbles to vote." - Ambassador Kosh To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
