Back to Community Threads
1
Senderbase 2500% increase but can't find reflected in logs
Question asked by dave - 8/21/2015 at 7:47 PM
Unanswered
Hmmm.  Me be perplexed and need some other brain power.  We see occasional spikes in activity shown in senderbase for our mailserver (14.x).  Normally our mail server shows as 0.0 in email volume on Senderbase and this is expected given our low volume.  However, occasionally Senderbase will show a big increase like 2500%.
 
I have been pouring over the smartermail logs, event logs, and sysmon logs (we are tracking sent/received port 25 and 465) and I can't find anything to explain a 2500% increase.  Even wrote a utility to break the smarter mail smtp log apart by IP, AuthFailed, Greylisted, InboundMail, IPBlocks, NoSuchUser, OutboundMail, SpamBlocked, and Unknown (if it doesn't fit one of the others).  The log data simply doesn't reflect these Senderbase increases.
 
I could go into a bunch of areas explaining our setup at this point but regardless of that it would show in the logs, right?
 
I'd be glad to provide more information and would love some other brain power to help me understand why Senderbase and the logs could be so different.

6 Replies

Reply to Thread
0
Joe Wolf Replied
8/23/2015 at 10:29 AM
Well it seems you've done your homework and it's probably a senderbase error.  The first thought that came to mind was some kind of virus or spyware on the server dumping out messages that SmarterMail wouldn't know about, but if sysmon shows that only SmarterMail is using port 25 then that's probably not the case unless someone has come up with a way to hide that activity.  
 
I'd mark it up to a senderbase issue.  It's also possible that some third party is spoofing your IP Address, but if they're doing that there's not much you can do about it.
 
-Joe
 
Thanks, -Joe
0
dave Replied
8/24/2015 at 6:32 AM
Thanks Joe. I checked with Senderbase a few weeks ago to inquire and didn't get any specifics. They said

"We understand there are some improvement opportunities regarding how the volume data is calculated and displayed on SenderBase.org. There are some enhancements currently being planned in an upcoming update of SenderBase.org. This update will improve how statistics get presented, in a more meaningful and understandable way. We are expecting these enhancement updates to be deployed in the coming months. "

Senderbase detail is a dead end for now anyway.

Friday we had a spike and it correlated with one of our employee laptops being booted and internet connected. Went back and found that the prior spike 2 days earlier also occurred on a day that machine was booted. This is a machine of an employee that is no longer with us and is only around just in case something is needed from it. This has me curious now. Investigating this pattern more; however, the logs don't reflect any spikes if this laptop was involved.

We have POP and SMTP logging set to detailed. We aren't seeing any high activity in either log.

EDIT: amending with new information that the laptop was not network connected on Friday.
0
Scarab Replied
8/24/2015 at 10:10 AM
Senderbase conglomerates data from it's users/partners based upon headers for received emails. We have had an IP in one of our Class C CIDR ranges that is definitely not in use (for the past 5 or 6 years now...it was previously assigned to a co-lo server we hosted) show activity for 5 days every month for the past year and tore our hair out checking, double-checking, triple-checking every possibility. Turns out it is an IP that is being used by Spoofed Spam in forged headers. Since there is no rDNS for this IP most recipients should be rejecting it, so it doesn't hurt us any...but it did waste 40 or so hours of spare time trying to track it down on our side before we were confident it absolutely-positively wasn't actually coming from us.

Moral of the story: Senderbase isn't always accurate. I check our ranges weekly for any abnormalities, just to be sure, but if there is an abnormality and you can't find the source on your network and your bandwidth monitors aren't showing corresponding outbound activity, then don't lose any sleep over it.
0
Bruce Barnes Replied
8/24/2015 at 1:40 PM
40+ hours is not "spare time!"
Bruce Barnes ChicagoNetTech Inc brucecnt@comcast.net Phonr: (773) 491-9019 Phone: (224) 444-0169 E-Mail and DNS Security Specialist Network Security Specialist Customer Service Portal: https://portal.chicagonettech.com Website: https://www.ChicagoNetTech.com Security Blog: http://networkbastion.blogspot.com/ Web and E-Mail Hosting, E-Mail Security and Consulting
0
dave Replied
8/24/2015 at 2:04 PM
Thanks Scarab. That is really good to know.
0
Scarab Replied
8/24/2015 at 3:51 PM
Agreed. Even over the course of 6 months, time is too precious to squander that many hours. I've learned to trust our bandwidth monitors we have configured on each IP and if I'm not seeing corresponding traffic at a glance, then I don't really feel compelled to look any further having learned my lesson.
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
SmarterTrack/WHMCS Addon ModuleUtilities and Conversion Tools
Find a Compromised AccountSmarterMail > Troubleshooting
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration
Migrate SmarterMail to a Different ServerSmarterMail > Installation and Configuration