[MDaemon-L] Analisa log

[Yudis]

Pak Syafril,

Mohon bantuan analisa log terlampir.
Yang ingin saya tanyakan :
1. Apakah email a...@saranainstrument.com kena hijack ?
2. Apakah domain @honeyvel.com adalah domain yang memalsukan dari domain 
@honeywell.com ?

Terima kasih
--
Regards,
*Yudis*
*IT Officer*
+62-21-5347855
Ext.321
Tue 2015-09-01 04:14:25: Session 084224; child 0001
Tue 2015-09-01 04:14:25: Accepting SMTP connection from [64.98.42.187:44069] to 
[113.11.130.172:25]
Tue 2015-09-01 04:14:25: --> 220 mx.saranainstrument.com ESMTP MDaemon 13.6.2; 
Tue, 01 Sep 2015 04:14:25 +0700
Tue 2015-09-01 04:14:25: <-- EHLO smtprelay.b.hostedemail.com
Tue 2015-09-01 04:14:25: --> 250-mx.saranainstrument.com Hello 
smtprelay.b.hostedemail.com, pleased to meet you
Tue 2015-09-01 04:14:25: --> 250-ETRN
Tue 2015-09-01 04:14:25: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2015-09-01 04:14:25: --> 250-8BITMIME
Tue 2015-09-01 04:14:25: --> 250-STARTTLS
Tue 2015-09-01 04:14:25: --> 250 SIZE 15360000
Tue 2015-09-01 04:14:25: <-- MAIL FROM:<sor.pheng.c...@honeyvell.com> SIZE=73361
Tue 2015-09-01 04:14:25: Performing PTR lookup (187.42.98.64.IN-ADDR.ARPA)
Tue 2015-09-01 04:14:25: *  D=187.42.98.64.IN-ADDR.ARPA TTL=(60) 
PTR=[smtprelay0187.b.hostedemail.com]
Tue 2015-09-01 04:14:25: *  D=187.42.98.64.IN-ADDR.ARPA TTL=(1440) 
PTR=[smtprelay0187.b.hostedemail.com]
Tue 2015-09-01 04:14:25: *  Gathering A records...
Tue 2015-09-01 04:14:26: *  D=smtprelay0187.b.hostedemail.com TTL=(60) 
A=[64.98.42.187]
Tue 2015-09-01 04:14:26: *  D=smtprelay0187.b.hostedemail.com TTL=(60) 
A=[64.98.42.187]
Tue 2015-09-01 04:14:26: ---- End PTR results
Tue 2015-09-01 04:14:26: Performing IP lookup (smtprelay.b.hostedemail.com)
Tue 2015-09-01 04:14:26: *  D=smtprelay.b.hostedemail.com TTL=(60) 
A=[64.98.36.5]
Tue 2015-09-01 04:14:26: ---- End IP lookup results
Tue 2015-09-01 04:14:26: Performing IP lookup (honeyvell.com)
Tue 2015-09-01 04:14:27: *  D=honeyvell.com TTL=(5) A=[54.247.176.36]
Tue 2015-09-01 04:14:27: *  P=010 S=000 D=honeyvell.com TTL=(30) 
MX=[mx.honeyvell.com.cust.b.hostedemail.com]
Tue 2015-09-01 04:14:27: *  D=honeyvell.com TTL=(5) A=[54.247.176.36]
Tue 2015-09-01 04:14:27: ---- End IP lookup results
Tue 2015-09-01 04:14:27: Performing SPF lookup (honeyvell.com / 64.98.42.187)
Tue 2015-09-01 04:14:35: *  Result: none; no SPF record in DNS
Tue 2015-09-01 04:14:35: ---- End SPF results
Tue 2015-09-01 04:14:35: --> 250 <sor.pheng.c...@honeyvell.com>, Sender ok
Tue 2015-09-01 04:14:35: <-- RCPT TO:<a...@saranainstrument.com>
Tue 2015-09-01 04:14:35: --> 250 <a...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 04:14:36: <-- RCPT TO:<fai...@saranainstrument.com>
Tue 2015-09-01 04:14:36: --> 250 <fai...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 04:14:36: <-- RCPT TO:<n...@saranainstrument.com>
Tue 2015-09-01 04:14:36: --> 250 <n...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 04:14:36: <-- RCPT TO:<wi...@saranainstrument.com>
Tue 2015-09-01 04:14:36: --> 250 <wi...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 04:14:37: <-- DATA
Tue 2015-09-01 04:14:37: Creating temp file (SMTP): 
d:\mdaemon\queues\temp\md50000211443.tmp
Tue 2015-09-01 04:14:37: --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2015-09-01 04:14:38: Message size: 73349 bytes
Tue 2015-09-01 04:14:38: Performing DKIM lookup
Tue 2015-09-01 04:14:38: *  File: d:\mdaemon\queues\temp\md50000211443.tmp
Tue 2015-09-01 04:14:38: *  Message-ID: 
178a1dfa6b63e443aa7bf01dbdb70...@honeyvell.com
Tue 2015-09-01 04:14:43: *  Result: neutral
Tue 2015-09-01 04:14:43: ---- End DKIM results
Tue 2015-09-01 04:14:43: Performing DomainKeys lookup (Sender: 
sor.pheng.c...@honeyvell.com)
Tue 2015-09-01 04:14:43: *  File: d:\mdaemon\queues\temp\md50000211443.tmp
Tue 2015-09-01 04:14:43: *  Message-ID: 
178a1dfa6b63e443aa7bf01dbdb70...@honeyvell.com
Tue 2015-09-01 04:14:43: *  Querying for policy: honeyvell.com
Tue 2015-09-01 04:14:43: *    Querying: _domainkey.honeyvell.com ...
Tue 2015-09-01 04:14:50: *    DNS: *  The name server reports that it is having 
technical problems
Tue 2015-09-01 04:14:50: *  Result: neutral
Tue 2015-09-01 04:14:50: ---- End DomainKeys results
Tue 2015-09-01 04:14:50: Passing message through AntiVirus (Size: 73349)...
Tue 2015-09-01 04:14:50: *  Message is clean (no viruses found)
Tue 2015-09-01 04:14:50: ---- End AntiVirus results
Tue 2015-09-01 04:14:50: Passing message through Spam Filter (Size: 73349)...
Tue 2015-09-01 04:14:56: *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query 
to URIBL was blocked.
Tue 2015-09-01 04:14:56: *       See 
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
Tue 2015-09-01 04:14:56: *      for more information.
Tue 2015-09-01 04:14:56: *      [URIs: saranainstrument.com]
Tue 2015-09-01 04:14:56: * -4.7 BAYES_00 BODY: Bayes spam probability is 0 to 1%
Tue 2015-09-01 04:14:56: *      [score: 0.0000]
Tue 2015-09-01 04:14:56: *  0.0 HTML_MESSAGE BODY: HTML included in message
Tue 2015-09-01 04:14:56: *  0.0 LOTS_OF_MONEY Huge... sums of money
Tue 2015-09-01 04:14:56: ---- End SpamAssassin results
Tue 2015-09-01 04:14:56: Spam Filter score/req: -4.70/12.0
Tue 2015-09-01 04:14:56: Message creation successful: 
d:\mdaemon\queues\inbound\md50000121206.msg
Tue 2015-09-01 04:14:56: --> 250 Ok, message saved <Message-ID: 
<178a1dfa6b63e443aa7bf01dbdb70...@honeyvell.com>>
Tue 2015-09-01 04:14:56: <-- QUIT
Tue 2015-09-01 04:14:56: --> 221 See ya in cyberspace
Tue 2015-09-01 04:14:56: SMTP session successful (Bytes in/out: 73602/645)
Tue 2015-09-01 04:14:56: ----------

Tue 2015-09-01 04:15:00: Session 084227; child 0001
Tue 2015-09-01 04:15:00: Parsing message 
<d:\mdaemon\queues\remote\pd50000033012.msg>
Tue 2015-09-01 04:15:00: *  Forwarded from: a...@saranainstrument.com
Tue 2015-09-01 04:15:00: *  From: sor.pheng.c...@honeyvell.com
Tue 2015-09-01 04:15:00: *  To: zee...@live.com
Tue 2015-09-01 04:15:00: *  Subject: Re: INVOICE HONEYWELL - INV15-154
Tue 2015-09-01 04:15:00: *  Size (bytes): 74440
Tue 2015-09-01 04:15:00: *  Message-ID: 
<178a1dfa6b63e443aa7bf01dbdb70...@honeyvell.com>
Tue 2015-09-01 04:15:00: Attempting SMTP connection to [live.com]
Tue 2015-09-01 04:15:00: Resolving MX records for [live.com] (DNS Server: 
209.244.0.3)...
Tue 2015-09-01 04:15:00: *  P=005 S=000 D=live.com TTL=(20) MX=[mx3.hotmail.com]
Tue 2015-09-01 04:15:00: *  P=005 S=001 D=live.com TTL=(20) MX=[mx4.hotmail.com]
Tue 2015-09-01 04:15:00: *  P=005 S=002 D=live.com TTL=(20) MX=[mx1.hotmail.com]
Tue 2015-09-01 04:15:00: *  P=005 S=003 D=live.com TTL=(20) MX=[mx2.hotmail.com]
Tue 2015-09-01 04:15:00: Attempting SMTP connection to [mx3.hotmail.com:25]
Tue 2015-09-01 04:15:00: Resolving A record for [mx3.hotmail.com] (DNS Server: 
209.244.0.3)...
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.92.168]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.37.72]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.33.135]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[134.170.2.199]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[207.46.8.199]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.37.120]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.37.104]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.54.188.126]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[207.46.8.167]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.92.136]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.54.188.110]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.33.119]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.55.92.184]
Tue 2015-09-01 04:15:00: *  D=mx3.hotmail.com TTL=(55) A=[65.54.188.72]
Tue 2015-09-01 04:15:00: Randomly picked 65.55.37.104 from list of A records
Tue 2015-09-01 04:15:00: Attempting SMTP connection to [65.55.37.104:25]
Tue 2015-09-01 04:15:00: Waiting for socket connection...
Tue 2015-09-01 04:15:01: *  Connection established (113.11.130.172:64347 -> 
65.55.37.104:25)
Tue 2015-09-01 04:15:01: Waiting for protocol to start...
Tue 2015-09-01 04:15:01: <-- 220 COL004-MC3F36.hotmail.com Sending unsolicited 
commercial or bulk e-mail to Microsoft's computer network is prohibited. Other 
restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. 
Mon, 31 Aug 2015 14:15:02 -0700 
Tue 2015-09-01 04:15:01: --> EHLO mx.saranainstrument.com
Tue 2015-09-01 04:15:01: <-- 250-COL004-MC3F36.hotmail.com (3.21.0.208) Hello 
[113.11.130.172]
Tue 2015-09-01 04:15:01: <-- 250-SIZE 36909875
Tue 2015-09-01 04:15:01: <-- 250-PIPELINING
Tue 2015-09-01 04:15:01: <-- 250-8bitmime
Tue 2015-09-01 04:15:01: <-- 250-BINARYMIME
Tue 2015-09-01 04:15:01: <-- 250-CHUNKING
Tue 2015-09-01 04:15:01: <-- 250-STARTTLS
Tue 2015-09-01 04:15:01: <-- 250-AUTH LOGIN
Tue 2015-09-01 04:15:01: <-- 250-AUTH=LOGIN
Tue 2015-09-01 04:15:01: <-- 250 OK
Tue 2015-09-01 04:15:01: --> STARTTLS
Tue 2015-09-01 04:15:02: <-- 220 SMTP server ready
Tue 2015-09-01 04:15:03: SSL negotiation successful (TLS 1.0, 384 bit key 
exchange, 256 bit AES encryption)
Tue 2015-09-01 04:15:03: --> EHLO mx.saranainstrument.com
Tue 2015-09-01 04:15:03: <-- 250-COL004-MC3F36.hotmail.com (3.21.0.208) Hello 
[113.11.130.172]
Tue 2015-09-01 04:15:03: <-- 250-SIZE 36909875
Tue 2015-09-01 04:15:03: <-- 250-PIPELINING
Tue 2015-09-01 04:15:03: <-- 250-8bitmime
Tue 2015-09-01 04:15:03: <-- 250-BINARYMIME
Tue 2015-09-01 04:15:03: <-- 250-CHUNKING
Tue 2015-09-01 04:15:03: <-- 250-AUTH LOGIN
Tue 2015-09-01 04:15:03: <-- 250-AUTH=LOGIN
Tue 2015-09-01 04:15:03: <-- 250 OK
Tue 2015-09-01 04:15:03: --> MAIL From:<sor.pheng.c...@honeyvell.com> SIZE=74440
Tue 2015-09-01 04:15:03: <-- 250 sor.pheng.c...@honeyvell.com....Sender OK
Tue 2015-09-01 04:15:03: --> RCPT To:<zee...@live.com>
Tue 2015-09-01 04:15:04: <-- 250 zee...@live.com 
Tue 2015-09-01 04:15:04: --> DATA
Tue 2015-09-01 04:15:04: <-- 354 Start mail input; end with <CRLF>.<CRLF>
Tue 2015-09-01 04:15:04: Sending <d:\mdaemon\queues\remote\pd50000033012.msg> 
to [65.55.37.104]
Tue 2015-09-01 04:15:06: Transfer Complete
Tue 2015-09-01 04:15:07: <-- 250  
<178a1dfa6b63e443aa7bf01dbdb70...@honeyvell.com> Queued mail for delivery
Tue 2015-09-01 04:15:07: --> QUIT
Tue 2015-09-01 04:15:07: <-- 221 COL004-MC3F36.hotmail.com Service closing 
transmission channel
Tue 2015-09-01 04:15:07: SMTP session successful (Bytes in/out: 912/75472)

Tue 2015-09-01 13:27:40: Session 097590; child 0001
Tue 2015-09-01 13:27:40: Accepting SMTP connection from [65.55.169.122:23295] 
to [113.11.130.172:25]
Tue 2015-09-01 13:27:40: --> 220 mx.saranainstrument.com ESMTP MDaemon 13.6.2; 
Tue, 01 Sep 2015 13:27:40 +0700
Tue 2015-09-01 13:27:40: <-- EHLO na01-bl2-obe.outbound.protection.outlook.com
Tue 2015-09-01 13:27:40: --> 250-mx.saranainstrument.com Hello 
na01-bl2-obe.outbound.protection.outlook.com, pleased to meet you
Tue 2015-09-01 13:27:40: --> 250-ETRN
Tue 2015-09-01 13:27:40: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2015-09-01 13:27:40: --> 250-8BITMIME
Tue 2015-09-01 13:27:40: --> 250-STARTTLS
Tue 2015-09-01 13:27:40: --> 250 SIZE 15360000
Tue 2015-09-01 13:27:40: <-- STARTTLS
Tue 2015-09-01 13:27:40: --> 220 Begin TLS negotiation
Tue 2015-09-01 13:27:41: SSL negotiation successful (TLS 1.0, 256 bit key 
exchange, 256 bit AES encryption)
Tue 2015-09-01 13:27:41: <-- EHLO na01-bl2-obe.outbound.protection.outlook.com
Tue 2015-09-01 13:27:41: --> 250-mx.saranainstrument.com Hello 
na01-bl2-obe.outbound.protection.outlook.com, pleased to meet you
Tue 2015-09-01 13:27:41: --> 250-ETRN
Tue 2015-09-01 13:27:41: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
Tue 2015-09-01 13:27:41: --> 250-8BITMIME
Tue 2015-09-01 13:27:41: --> 250 SIZE 15360000
Tue 2015-09-01 13:27:41: <-- MAIL FROM:<sor.pheng.c...@honeywell.com> 
SIZE=852690 AUTH=<>
Tue 2015-09-01 13:27:41: Performing SPF lookup (honeywell.com / 65.55.169.122)
Tue 2015-09-01 13:27:41: *  Policy: v=spf1 ip4:199.64.220.26 ip4:199.61.24.27 
ip4:199.15.215.105 ip4:198.245.81.13 include:mktomail.com 
include:spf.messaging.microsoft.com a mx ?all
Tue 2015-09-01 13:27:41: *  Evaluating ip4:199.64.220.26: no match
Tue 2015-09-01 13:27:41: *  Evaluating ip4:199.61.24.27: no match
Tue 2015-09-01 13:27:41: *  Evaluating ip4:199.15.215.105: no match
Tue 2015-09-01 13:27:41: *  Evaluating ip4:198.245.81.13: no match
Tue 2015-09-01 13:27:41: *  Evaluating include:mktomail.com: performing lookup
Tue 2015-09-01 13:27:42: *    Policy: v=spf1 ip4:199.15.212.0/22 
ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24 ip4:72.32.243.0/24 
ip4:94.236.119.0/26 ip4:37.188.97.188/32 ip4:185.28.196.0/22 
ip4:192.28.128.0/18 ip4:103.237.104.0/22 ip6:2a04:35c0::/29  ~all
Tue 2015-09-01 13:27:42: *    Evaluating ip4:199.15.212.0/22: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:72.3.185.0/24: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:72.32.154.0/24: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:72.32.217.0/24: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:72.32.243.0/24: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:94.236.119.0/26: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:37.188.97.188/32: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:185.28.196.0/22: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:192.28.128.0/18: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip4:103.237.104.0/22: no match
Tue 2015-09-01 13:27:42: *    Evaluating ip6:2a04:35c0::/29: unknown mechanism
Tue 2015-09-01 13:27:42: *  Evaluating include:mktomail.com: 
Tue 2015-09-01 13:27:42: *  Result: neutral
Tue 2015-09-01 13:27:42: ---- End SPF results
Tue 2015-09-01 13:27:42: --> 250 <sor.pheng.c...@honeywell.com>, Sender ok
Tue 2015-09-01 13:27:42: <-- RCPT TO:<fr...@saranainstrument.com>
Tue 2015-09-01 13:27:42: --> 250 <fr...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 13:27:42: <-- RCPT TO:<wi...@saranainstrument.com>
Tue 2015-09-01 13:27:42: --> 250 <wi...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 13:27:43: <-- RCPT TO:<a...@saranainstrument.com>
Tue 2015-09-01 13:27:43: --> 250 <a...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 13:27:43: <-- RCPT TO:<n...@saranainstrument.com>
Tue 2015-09-01 13:27:43: --> 250 <n...@saranainstrument.com>, Recipient ok
Tue 2015-09-01 13:27:43: <-- DATA
Tue 2015-09-01 13:27:43: Creating temp file (SMTP): 
d:\mdaemon\queues\temp\md50000219143.tmp
Tue 2015-09-01 13:27:43: --> 354 Enter mail, end with <CRLF>.<CRLF>
Tue 2015-09-01 13:27:57: Message size: 842291 bytes
Tue 2015-09-01 13:27:57: Performing DKIM lookup
Tue 2015-09-01 13:27:57: *  File: d:\mdaemon\queues\temp\md50000219143.tmp
Tue 2015-09-01 13:27:57: *  Message-ID: 
8eb22d789a3c2144b38ebc2631a8c1fb40ba6...@az18ex3009.global.ds.honeywell.com
Tue 2015-09-01 13:27:57: *  Result: neutral
Tue 2015-09-01 13:27:57: ---- End DKIM results
Tue 2015-09-01 13:27:57: Performing DomainKeys lookup (Sender: 
sor.pheng.c...@honeywell.com)
Tue 2015-09-01 13:27:57: *  File: d:\mdaemon\queues\temp\md50000219143.tmp
Tue 2015-09-01 13:27:57: *  Message-ID: 
8eb22d789a3c2144b38ebc2631a8c1fb40ba6...@az18ex3009.global.ds.honeywell.com
Tue 2015-09-01 13:27:57: *  Querying for policy: honeywell.com
Tue 2015-09-01 13:27:57: *    Querying: _domainkey.honeywell.com ...
Tue 2015-09-01 13:27:57: *    Policy record (cached): t=y; o=~; 
Tue 2015-09-01 13:27:57: *  Result: neutral
Tue 2015-09-01 13:27:57: ---- End DomainKeys results
Tue 2015-09-01 13:27:57: Passing message through AntiVirus (Size: 842291)...
Tue 2015-09-01 13:27:57: *  Message is clean (no viruses found)
Tue 2015-09-01 13:27:57: ---- End AntiVirus results
Tue 2015-09-01 13:27:57: Message creation successful: 
d:\mdaemon\queues\inbound\md50000121595.msg
Tue 2015-09-01 13:27:57: --> 250 Ok, message saved <Message-ID: 
<8eb22d789a3c2144b38ebc2631a8c1fb40ba6...@az18ex3009.global.ds.honeywell.com>>
Tue 2015-09-01 13:27:57: *  Winsock Error 10054 
Tue 2015-09-01 13:27:57: SMTP session successful (Bytes in/out: 844944/2319)