How do I see senders machine IP in the delivery logs?

3/19/2025 at 1:10 PM

Employee Post Marked As Answer

Hello Shane,

To get the IP Address you will need to review the SMTP Log, below is an explanation of how to track a message back and forth through the logs.

We start with the SMTP log when the message hits the server. The Session ID will let you see the full session. If you have the MessageID of the email from the junk email folder, spool, or anywhere you can search for that with "Display Related Traffic" enabled. to get the full session. And if you have the EML/HDR number from the spool or another log.

[2025.03.13] 09:25:22.663 [10.1.1.80][44848045] rsp: 220 sup-ascholzl.st.local
[2025.03.13] 09:25:22.695 [10.1.1.80][44848045] connected at 3/13/2025 9:25:22 AM
[2025.03.13] 09:25:22.780 [10.1.1.80][44848045] Country code: Unknown
[2025.03.13] 09:25:22.780 [10.1.1.80][44848045] IP in whitelist
[2025.03.13] 09:25:22.798 [10.1.1.80][44848045] cmd: ehlo Tony-MBP.local
[2025.03.13] 09:25:22.807 [10.1.1.80][44848045] rsp: 250-sup-ascholzl.st.local Hello [10.1.1.80]250-SIZE 699050666250-AUTH LOGIN CRAM-MD5250-8BITMIME250-SMTPUTF8250-DSN250 OK
[2025.03.13] 09:25:22.812 [10.1.1.80][44848045] cmd: mail FROM:<stormy.pixel@neoninbox.com> size=981
[2025.03.13] 09:25:22.915 [10.1.1.80][44848045] senderEmail(1): stormy.pixel@neoninbox.com
[2025.03.13] 09:25:22.980 [10.1.1.80][44848045] rsp: 250 OK <stormy.pixel@neoninbox.com> Sender ok
[2025.03.13] 09:25:22.980 [10.1.1.80][44848045] Sender accepted. Weight: 0.
[2025.03.13] 09:25:22.984 [10.1.1.80][44848045] cmd: rcpt TO:<admin@ascholz.linux>
[2025.03.13] 09:25:23.304 [10.1.1.80][44848045] rsp: 250 OK <admin@ascholz.linux> Recipient ok
[2025.03.13] 09:25:23.308 [10.1.1.80][44848045] cmd: data
[2025.03.13] 09:25:23.324 [10.1.1.80][44848045] Performing PTR host name lookup for 10.1.1.80
[2025.03.13] 09:25:23.382 [10.1.1.80][44848045] PTR host name for 10.1.1.80 resolved as UnknownHost
[2025.03.13] 09:25:23.577 [10.1.1.80][44848045] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2025.03.13] 09:25:23.615 [10.1.1.80][44848045] senderEmail(2): stormy.pixel@neoninbox.com parsed using: stormy.pixel@neoninbox.com
[2025.03.13] 09:25:24.274 [10.1.1.80][44848045] DMARC Results: None (Domain: , Reason: No DMARC record found), Reason: No DMARC record found, Reject? False
[2025.03.13] 09:25:24.274 [10.1.1.80][44848045] rsp: 250 OK
[2025.03.13] 09:25:24.296 [10.1.1.80][44848045] Received message size: 984 bytes
[2025.03.13] 09:25:25.161 [10.1.1.80][44848045] Successfully wrote to the HDR file. (/var/lib/smartermail/Spool/SubSpool3/25720549555.hdr)
[2025.03.13] 09:25:25.168 [10.1.1.80][44848045] Data transfer succeeded, writing mail to 25720549555.eml (MessageID: <77FDBEB2-747B-4B59-A5C9-80AD6FBC77FF@TONY-MBP.LOCAL.TLD>)
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] cmd: QUIT
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] rsp: 221 Service closing transmission channel
[2025.03.13] 09:25:25.189 [10.1.1.80][44848045] disconnected at 3/13/2025 9:25:25 AM

Next, we look at the Delivery Logs, I am going to use the Eml/Hdr number (25720549555) to do my search with "Display Related Traffic" enabled. In the logs below you will notice that the Delivery Session ID is a portion of this number [25720549555 -> 20549555]

[2025.03.13] 09:25:25.294 [20549555] Delivery started for stormy.pixel@neoninbox.com at 9:25:25 AM
[2025.03.13] 09:25:28.342 [20549555] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2025.03.13] 09:25:28.361 [20549555] [SpamCheckQueue] Begin Processing.
[2025.03.13] 09:25:28.539 [20549555] Blocked Sender Checks started.
[2025.03.13] 09:25:28.539 [20549555] Blocked Sender Checks completed.
[2025.03.13] 09:25:41.841 [20549555] Spam Checks started.
[2025.03.13] 09:25:47.719 [20549555] Finished running spam checks. Time (non-rbls): 4438ms, Time (URIBL/RBLS): 1336ms
[2025.03.13] 09:25:47.756 [20549555] Spam Check results: [_DMARC: 0,none], [REVERSE DNS LOOKUP: 15,ReverseFailed], [NULL SENDER: 0,passed], [_INTERNALSPAMASSASSIN: 0:0], [_SPF: 10,SoftFail], [_DKIM: 10,None], [_ARC: none], [HOSTKARMA: 0], [SPAMCOP: 0], [UCEPROTECT LEVEL 1: 0], [BACKSCATTER: 0], [SEM - BLACK: 0], [BARRACUDA: 0], [UCEPROTECT LEVEL 2: 0], [SURRIEL: 0], [TRUNCATE: 0], [SPAMHAUS: 0], [URIBL BLACK: 0], [SEM-URI: 0]
[2025.03.13] 09:25:47.756 [20549555] Spam Checks completed.
[2025.03.13] 09:25:47.759 [20549555] Removed from SpamCheckQueue (0 queued or processing)
[2025.03.13] 09:25:49.554 [20549555] Added to LocalDeliveryQueue (1 queued; 0/50 processing)
[2025.03.13] 09:25:49.554 [20549555] [LocalDeliveryQueue] Begin Processing.
[2025.03.13] 09:25:49.620 [20549555] Starting local delivery to admin@ascholz.linux
[2025.03.13] 09:25:49.999 [20549555] Message saved to MailProcessing directory for admin@ascholz.linux. File name: 20549555-30011-NOID.tmpmsg
[2025.03.13] 09:25:50.022 [20549555] Process delivery status notification step from local recipient success. Recipient: [admin@ascholz.linux], Notify: [], Delivered: [True], Forwarded: [False], Deleted: False
[2025.03.13] 09:25:50.166 [20549555] Delivery for stormy.pixel@neoninbox.com to admin@ascholz.linux has completed (Delivered to Junk Email) Filter: Spam (Weight: 35), Action (Global Level): MoveToFolder
[2025.03.13] 09:25:50.166 [20549555] End delivery to admin@ascholz.linux (MessageID: <77FDBEB2-747B-4B59-A5C9-80AD6FBC77FF@TONY-MBP.LOCAL.TLD>)
[2025.03.13] 09:25:50.170 [20549555] Removed from LocalDeliveryQueue (0 queued or processing)
[2025.03.13] 09:25:52.563 [20549555] Removing Spool message: Killed: False, Failed: False, Finished: True
[2025.03.13] 09:25:52.598 [20549555] Delivery finished for stormy.pixel@neoninbox.com at 9:25:52 AM [id:25720549555]

Using the same Eml/Hdr number (25720549555) I will also search the Spam Check Logs to get any details needed as well. This will show any Spam Checks that were run during the Delivery Thread.

[2025.03.13] 09:25:28.361 [20549555] SpamCheck Processing Thread Started
[2025.03.13] 09:25:28.540 [20549555] Filetype Checks started.
[2025.03.13] 09:25:28.547 [20549555] Filetype Checks completed.
[2025.03.13] 09:25:28.547 [20549555] ClamD Checks started.
[2025.03.13] 09:25:41.840 [20549555] ClamD Checks completed.
[2025.03.13] 09:25:41.943 [20549555] Spam checks to run: Reverse Dns Lookup, Null Sender, Internal SpamAssassin, _SPF, _DKIM, _ARC, Backscatter, Barracuda, HostKarma, SEM - Black, SpamCop, Spamhaus, Truncate, UCEProtect Level 1, UCEProtect Level 2, SEM-URI, URIBL Black, Surriel
[2025.03.13] 09:25:41.944 [20549555] Found 18 spam checks to run: Reverse Dns Lookup, Null Sender, Internal SpamAssassin, _SPF, _DKIM, _ARC, Backscatter, Barracuda, HostKarma, SEM - Black, SpamCop, Spamhaus, Truncate, UCEProtect Level 1, UCEProtect Level 2, SEM-URI, URIBL Black, Surriel
[2025.03.13] 09:25:41.944 [20549555] Spam check args: from: stormy.pixel@neoninbox.com; messageID: 20549555; messagePath: /var/lib/smartermail/Spool/SubSpool3/25720549555.eml; sender: stormy.pixel@neoninbox.com; sendersDomain: neoninbox.com; sendersIp: 10.1.1.80; returnPath: stormy.pixel@neoninbox.com; sendersEhlo: Tony-MBP.local
[2025.03.13] 09:25:42.014 [20549555] [10.1.1.80] No valid reverse DNS entry found.
[2025.03.13] 09:25:45.793 [20549555] Running SPF check
[2025.03.13] 09:25:46.348 [20549555] SPF SoftFail. IP: 10.1.1.80, Sender: stormy.pixel@neoninbox.com, FailReason:
[2025.03.13] SPF Record: v=spf1 include:spf.efwd.registrar-servers.com ~all
[2025.03.13] 09:25:46.348 [20549555] Finished SPF check; result = SoftFail
[2025.03.13] 09:25:46.348 [20549555] [DKIM] Performing DKIM check...
[2025.03.13] 09:25:46.382 [20549555] [DKIM] Result: NoSignature.
[2025.03.13] 09:25:46.382 [20549555] [ARC] Performing ARC verification...
[2025.03.13] 09:25:47.719 [20549555] Spam Checks took 5822 ms
[2025.03.13] 09:25:47.756 [20549555] Spam Checks completed.
[2025.03.13] 09:25:47.758 [20549555] SpamCheck Processing Thread Completed

Hope this helps

Tony Scholz System/Network Administrator SmarterTools Inc. www.smartertools.com

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles