SmarterMail Version - 15.5.6222
Ok, so it looks like I need to clarify where what I stated was exact and I am not guessing. I understand trying to read behind the lines because of how odd this is, but that is also why I am here asking.
1) This is not a single client / e-mail address / user, it is multiple. So we are not looking at malware on a single computer.
2) When I say they sent it and there is no SMTP log, I mean exactly that. The person sends the message (all the test cases so far have been Outlook users) and the message goes out, gets copied from the outbox to sent, and there are no errors. I check the SMTP logs shortly thereafter and there is no indication of the connection at all.
3) The log snippets above are not attacks or impersonations. I get exactly 1 of these entries for each missing e-mail INSTEAD of the SMTP log entries I SHOULD HAVE SEEN when the customer sent the e-mail. It is a 1:1 relationship. The time and date stamp is between 30 seconds to 2 minutes delayed from where there should have been an entry for the SMTP connection from the E-mail client software.
4) It is not every E-mail they send.
5) I have verified the E-mail client software is setup to use (authenticated) this server for SMTP, and for most E-mail the evidence that the client is doing that is in the SMTP log. However, on the occasional instance when it is not I will instead get these delayed, reverse connections, the IP is always from some random IP oversees, but always a middle eastern or mediterranean country.
|John C. Reid / Technology Director|
John@prime42.net / (530) 691-0042
1300 West Street, Suite 206, Redding, CA 96001