STMP Logs decipher
Question asked by help - April 3 at 8:47 AM
Answered
how to determine which IP is IN and OUT?

5 Replies

Reply to Thread
0
Matt Petty Replied
Employee Post Marked As Answer
SMTP logs are always inbound SMTP deliveries from clients and other servers.
Delivery logs would contain delivery information as well as the outbound SMTP deliveries (to other servers).

Hopefully this makes the difference between the 2 logs more clear. I can explain deeper if that's confusing.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
help Replied
how do I find out Outgoing  mails from Delivery log? 
thank you
0
Robert Emmett Replied
Employee Post
Outgoing emails in the delivery will appear like SMTP traffic.  This is an example message with outbound delivery:

[2019.04.04] 00:55:00.693 [36437] Delivery started for xxxxxxxxx@outlook.com at 12:55:00 AM
[2019.04.04] 00:55:03.725 [36437] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2019.04.04] 00:55:03.725 [36437] [SpamCheckQueue] Begin Processing.
[2019.04.04] 00:55:03.975 [36437] Starting Spam Checks.
[2019.04.04] 00:55:08.632 [36437] Spam check results: [REVERSE DNS LOOKUP: 0,Passed], [_MESSAGESNIFFER: 30,code:60], [_SPF: 0,Pass], [_DKIM: 0,Pass], [BACKSCATTER: 0,passed], [CBL: 0,passed], [DNS REAL-TIME BLACKHOLE LIST: 0,passed], [HOSTKARMA - BLACKLIST: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [MAILSPIKE L3: 0,passed], [MAILSPIKE L4: 0,passed], [MAILSPIKE L5: 0,passed], [MCAFEE: 0,passed], [SEM - BLACK: 0,passed], [SORBS - ABUSE: 0,passed], [SORBS - DYNAMIC IP: 0,passed], [SORBS - NO SERVER: 0,passed], [SORBS - NOMAIL: 0,passed], [SORBS - PROXY: 0,passed], [SORBS - RECENT: 0,passed], [SORBS - SOCKS: 0,passed], [SPAMHAUS - CSS: 0,passed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - SBL: 0,passed], [SURRIEL: 0,passed], [TRUNCATE: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [SURBL: 0,passed], [SEM-URI: 0,passed], [URIBL BLACK: 0,passed], [URIBL GREY: 0,passed], [URIBL RED: 0,passed], [SPAMCOP: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [SPAMRATS: 0,passed]
[2019.04.04] 00:55:08.632 [36437] Spam Checks completed.
[2019.04.04] 00:55:08.632 [36437] Removed from SpamCheckQueue (0 queued or processing)
[2019.04.04] 00:55:09.726 [36437] Added to LocalDeliveryQueue (1 queued; 0/50 processing)
[2019.04.04] 00:55:09.726 [36437] [LocalDeliveryQueue] Begin Processing.
[2019.04.04] 00:55:09.741 [36437] Starting local delivery to yyyyy@yyyy.com
[2019.04.04] 00:55:09.772 [36437] Delivery for xxxxxxxxx@outlook.com to yyyyy@yyyy.com has completed (Forwarded Delivered to Junk Email) Filter: Spam (Weight: 30), Action (Global Level): MoveToFolder
[2019.04.04] 00:55:09.772 [36437] End delivery to yyyyy@yyyy.com (MessageID: <BYAPR01MB4280F1EA2F7F7883CE93DCEBDA500@BYAPR01MB4280.yyyy.com>)
[2019.04.04] 00:55:09.772 [36437] Removed from LocalDeliveryQueue (0 queued or processing)
[2019.04.04] 00:55:12.741 [36437] Added to RemoteDeliveryQueue (1 queued; 0/50 processing)
[2019.04.04] 00:55:12.741 [36437] [RemoteDeliveryQueue] Begin Processing.
[2019.04.04] 00:55:12.741 [36437] Sending remote mail for xxxxxxxxx@outlook.com
[2019.04.04] 00:55:12.804 [36437] MxRecord count: '3' for domain 'yahoo.com'
[2019.04.04] 00:55:12.804 [36437] Attempting MxRecord Host Name: 'mta6.am0.yahoodns.net', preference '1', Ip Count: '8'
[2019.04.04] 00:55:12.804 [36437] Attempting to send to MxRecord 'mta6.am0.yahoodns.net' ip: '98.137.159.27'
[2019.04.04] 00:55:12.804 [36437] Sending remote mail to: zzzzz@yahoo.com
[2019.04.04] 00:55:12.804 [36437] Initiating connection to 98.137.159.27
[2019.04.04] 00:55:12.804 [36437] Connecting to 98.137.159.27:25 (Id: 1)
[2019.04.04] 00:55:12.804 [36437] Binding to local IP aa.bb.cc.dd:0 (Id: 1)
[2019.04.04] 00:55:12.866 [36437] Connection to 98.137.159.27:25 from aa.bb.cc.dd:54285 succeeded (Id: 1)
[2019.04.04] 00:55:12.944 [36437] RSP: 220 mta4362.mail.ne1.yahoo.com ESMTP ready
[2019.04.04] 00:55:12.944 [36437] CMD: EHLO domain.com
[2019.04.04] 00:55:13.023 [36437] RSP: 250-mta4362.mail.ne1.yahoo.com
[2019.04.04] 00:55:13.023 [36437] RSP: 250-PIPELINING
[2019.04.04] 00:55:13.023 [36437] RSP: 250-SIZE 41943040
[2019.04.04] 00:55:13.023 [36437] RSP: 250-8BITMIME
[2019.04.04] 00:55:13.023 [36437] RSP: 250 STARTTLS
[2019.04.04] 00:55:13.023 [36437] CMD: STARTTLS
[2019.04.04] 00:55:13.085 [36437] RSP: 220 2.0.0 Start TLS
[2019.04.04] 00:55:13.210 [36437] CMD: EHLO domain.com
[2019.04.04] 00:55:13.288 [36437] RSP: 250-mta4362.mail.ne1.yahoo.com
[2019.04.04] 00:55:13.288 [36437] RSP: 250-PIPELINING
[2019.04.04] 00:55:13.288 [36437] RSP: 250-SIZE 41943040
[2019.04.04] 00:55:13.288 [36437] RSP: 250 8BITMIME
[2019.04.04] 00:55:13.288 [36437] CMD: MAIL FROM:<SRS0=V6NW=V4=OUTLOOK.COM=xxxxxxxxxx@xxxx.COM> SIZE=15119
[2019.04.04] 00:55:13.351 [36437] RSP: 250 sender <SRS0=V6NW=V4=OUTLOOK.COM=xxxxxxxxx@xxxx.com> ok
[2019.04.04] 00:55:13.351 [36437] CMD: RCPT TO:<zzzz@yahoo.com>
[2019.04.04] 00:55:13.413 [36437] RSP: 250 recipient <zzzz@yahoo.com> ok
[2019.04.04] 00:55:13.413 [36437] CMD: DATA
[2019.04.04] 00:55:13.476 [36437] RSP: 354 go ahead
[2019.04.04] 00:55:14.210 [36437] RSP: 250 ok dirdel
[2019.04.04] 00:55:14.210 [36437] CMD: QUIT
[2019.04.04] 00:55:14.273 [36437] RSP: 221 mta4362.mail.ne1.yahoo.com
[2019.04.04] 00:55:14.273 [36437] Attempt to ip, '98.137.159.27' success: 'True'
[2019.04.04] 00:55:14.273 [36437] Delivery for xxxxxxxxx@outlook.com to zzzz@yahoo.com has completed (Delivered)
[2019.04.04] 00:55:14.273 [36437] Removed from RemoteDeliveryQueue (0 queued or processing)
[2019.04.04] 00:55:15.757 [36437] Removing Spool message: Killed: False, Failed: False, Finished: True
[2019.04.04] 00:55:15.757 [36437] Delivery finished for xxxxxxxxxx@outlook.com at 12:55:15 AM    [id:303735736437]

From this example you can see that the incoming email was delivered to a local recipient but they have automatic forwarding enabled.  The message was then sent (forwarded) to Yahoo! at their 98.137.159.27 IP.  The actual outbound session will be SMTP in nature.

I hope this helps.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
help Replied
hi Robert,
if I don't have any forward, how to find out Outgoing mail from Delivery log 
0
Robert Emmett Replied
Employee Post
It will look the same.  You will have a line stating you are sending remote mail.  Then you should see the EHLO, MAIL FROM, RCPT TO, and other SMTP commands.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread