1
Where are these connections really coming from?
Question asked by Mark Thornton - January 12 at 9:46 PM
Unanswered
I am trying to track down the source of some user list attacks against my server but every entry in my smtp log shows the ip address of the server, not the connecting system. Even when I have a valid incoming email it never shows the connecting ip (shown in second example). Why is this occurring? 
 
01:01:07 [192.168.1.10][30850498] connected at 1/12/2017 1:01:07 AM
01:01:07 [192.168.1.10][30850498] cmd: EHLO mainserver.xxxxx.local
01:01:07 [192.168.1.10][30850498] rsp: 250-mail.XXXXX.org Hello [192.168.1.10]250-SIZE 52428800250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
01:01:07 [192.168.1.10][30850498] cmd: mail from: <johndoe@xxxx.org>
01:01:07 [192.168.1.10][30850498] rsp: 550 Authentication is required for relay
01:01:07 [192.168.1.10][30850498] disconnected at 1/12/2017 1:01:07 AM
 
 
06:18:15 [192.168.1.10][3676010] connected at 1/12/2017 6:18:15 AM
06:18:15 [192.168.1.10][3676010] cmd: HELO mainserver.xxxxx.local
06:18:15 [192.168.1.10][3676010] rsp: 250 mail.XXXXX.org Hello [192.168.1.10]
06:18:15 [192.168.1.10][3676010] cmd: MAIL FROM:<rudy@hotmail.com>
06:18:15 [192.168.1.10][3676010] rsp: 250 OK <rudy@hotmail.com> Sender ok
06:18:15 [192.168.1.10][3676010] cmd: RCPT TO:<elga@xxxxx.org>
06:18:15 [192.168.1.10][3676010] rsp: 250 OK <elga@xxxxx.org> Recipient ok
06:18:16 [192.168.1.10][3676010] cmd: RCPT TO:<suzie@xxxxx.org>
06:18:16 [192.168.1.10][3676010] rsp: 250 OK <suzie@xxxxx.org> Recipient ok
06:18:18 [192.168.1.10][3676010] cmd: DATA
06:18:18 [192.168.1.10][3676010] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
06:18:18 [192.168.1.10][3676010] rsp: 250 OK
06:18:18 [192.168.1.10][3676010] Data transfer succeeded, writing mail to 1239395481.eml
06:18:18 [192.168.1.10][22603156] rsp: 220 mail.XXXXX.org
06:18:18 [192.168.1.10][22603156] disconnected at 1/12/2017 6:18:18 AM
 
 

Reply to Thread