Interpreting Exchange 2K SMTP log
Please help me understand how to read this log and tell me if it looks normal or not?
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-07-07 00:01:33
#Fields: time c-ip cs-method cs-uri-stem sc-status
0:01:33 64.156.132.246 EHLO - 250
00:01:33 64.156.132.246 MAIL - 250
00:01:33 64.156.132.246 RCPT - 250
00:01:36 64.156.132.246 DATA - 250
00:01:36 64.156.132.246 QUIT - 240
00:02:52 61.81.187.72 HELO - 250
00:02:52 61.81.187.72 MAIL - 250
00:02:52 61.81.187.72 RCPT - 250
00:02:55 61.81.187.72 DATA - 250
00:02:55 61.81.187.72 QUIT - 240
00:03:26 66.63.180.15 - - 0
00:03:26 66.63.180.15 QUIT - 0
00:04:05 200.125.91.12 HELO - 250
00:04:05 200.125.91.12 MAIL - 250
00:04:05 200.125.91.12 RCPT - 250
00:04:06 200.125.91.12 DATA - 250
00:04:06 200.125.91.12 QUIT - 240
00:04:33 201.254.67.222 QUIT - 240
00:04:45 62.142.5.27 - - 0
00:04:55 212.160.59.88 HELO - 250
00:04:57 212.160.59.88 MAIL - 250
00:04:59 212.160.59.88 RCPT - 250
00:05:01 200.154.55.242 - - 0
00:05:01 212.160.59.88 RCPT - 250
00:05:04 212.160.59.88 RCPT - 250
00:05:06 212.160.59.88 RCPT - 250
00:05:12 212.160.59.88 RCPT - 250
00:05:15 212.160.59.88 RCPT - 250
00:05:17 212.160.59.88 RCPT - 250
00:05:20 212.160.59.88 RCPT - 250
00:05:26 212.160.59.88 DATA - 250
00:05:29 212.160.59.88 MAIL - 250
00:05:31 212.160.59.88 RCPT - 250
00:05:33 212.160.59.88 RCPT - 250
00:05:35 212.160.59.88 RCPT - 250
00:05:37 212.160.59.88 RCPT - 250
00:05:39 212.160.59.88 RCPT - 250
00:05:45 212.160.59.88 DATA - 250
00:05:49 212.160.59.88 QUIT - 240
00:06:36 218.214.67.62 EHLO - 250
00:06:36 218.214.67.62 MAIL - 250
00:06:36 218.214.67.62 RCPT - 250
00:06:36 218.214.67.62 xexch50 - 504
00:06:38 218.214.67.62 BDAT - 250
00:06:38 218.214.67.62 QUIT - 240
00:09:17 209.73.178.149 HELO - 250
00:09:17 209.73.178.149 MAIL - 250
00:09:17 209.73.178.149 RCPT - 250
00:09:17 209.73.178.149 DATA - 250
00:09:17 209.73.178.149 QUIT - 240
00:09:47 210.245.94.189 HELO - 250
00:09:47 210.245.94.189 MAIL - 250
00:09:47 210.245.94.189 RCPT - 250
00:09:48 210.245.94.189 DATA - 250
00:09:48 210.245.94.189 QUIT - 240
00:10:03 211.171.2.141 HELO - 250
00:10:03 211.171.2.141 MAIL - 250
00:10:03 211.171.2.141 RCPT - 250
00:10:05 211.171.2.141 DATA - 250
00:10:05 211.171.2.141 QUIT - 240
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 EHLO - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 MAIL - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 RCPT - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.6 RSET - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 EHLO - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 MAIL - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RCPT - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RSET - 0
00:10:51 202.147.57.8 - - 0
00:11:57 208.130.131.53 EHLO - 250
00:11:57 208.130.131.53 MAIL - 250
00:11:57 208.130.131.53 RCPT - 250
00:11:59 208.130.131.53 DATA - 250
00:11:59 208.130.131.53 QUIT - 240
00:20:37 66.218.66.46 HELO - 250
00:20:37 66.218.66.46 MAIL - 250
00:20:37 66.218.66.46 RCPT - 250
00:20:37 66.218.66.46 DATA - 250
00:20:38 66.218.66.46 QUIT - 240
00:21:39 64.156.132.246 EHLO - 250
00:21:39 64.156.132.246 MAIL - 250
00:21:39 64.156.132.246 RCPT - 250
00:21:39 64.156.132.246 DATA - 250
00:21:39 64.156.132.246 QUIT - 240
00:21:55 71.97.9.99 EHLO - 250
00:21:55 71.97.9.99 MAIL - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 DATA - 250
00:21:56 71.97.9.99 MAIL - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 DATA - 250
00:21:58 71.97.9.99 MAIL - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:59 71.97.9.99 DATA - 250
00:21:59 71.97.9.99 MAIL - 250
00:21:59 71.97.9.99 RCPT - 250
00:22:00 71.97.9.99 DATA - 250
00:22:00 71.97.9.99 QUIT - 240
00:23:21 66.120.131.130 HELO - 250
00:23:23 66.120.131.130 MAIL - 250
00:23:23 66.120.131.130 RCPT - 250
00:23:30 66.120.131.130 DATA - 250
00:23:31 66.120.131.130 QUIT - 240
00:23:47 8.10.16.238 HELO - 250
00:23:47 8.10.16.238 MAIL - 250
00:23:47 8.10.16.238 RCPT - 250
00:23:47 8.10.16.238 DATA - 250
00:23:52 8.10.16.238 QUIT - 240
00:24:07 210.16.194.247 HELO - 250
00:24:07 210.16.194.247 MAIL - 250
00:24:07 210.16.194.247 RCPT - 250
00:24:11 210.16.194.247 DATA - 250
00:24:11 210.16.194.247 QUIT - 240
00:25:37 216.139.147.19 HELO - 250
00:25:37 216.139.147.19 MAIL - 250
00:25:37 216.139.147.19 RCPT - 250
00:25:37 216.139.147.19 DATA - 250
00:25:37 216.139.147.19 QUIT - 240
00:25:52 67.141.109.191 HELO - 250
00:25:52 67.141.109.191 MAIL - 250
00:25:54 67.141.109.191 RCPT - 250
00:25:54 67.141.109.191 DATA - 250
00:25:55 67.141.109.191 QUIT - 240
00:26:30 24.79.93.62 HELO - 250
00:26:30 24.79.93.62 MAIL - 250
00:26:30 24.79.93.62 RCPT - 250
00:26:30 24.79.93.62 DATA - 250
00:26:30 24.79.93.62 QUIT - 240
00:26:34 70.35.138.156 HELO - 250
00:26:34 70.35.138.156 MAIL - 250
00:26:34 70.35.138.156 RCPT - 250
00:26:35 70.35.138.156 DATA - 250
00:26:37 70.35.138.156 QUIT - 240
#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-07-07 00:01:33
#Fields: time c-ip cs-method cs-uri-stem sc-status
0:01:33 64.156.132.246 EHLO - 250
00:01:33 64.156.132.246 MAIL - 250
00:01:33 64.156.132.246 RCPT - 250
00:01:36 64.156.132.246 DATA - 250
00:01:36 64.156.132.246 QUIT - 240
00:02:52 61.81.187.72 HELO - 250
00:02:52 61.81.187.72 MAIL - 250
00:02:52 61.81.187.72 RCPT - 250
00:02:55 61.81.187.72 DATA - 250
00:02:55 61.81.187.72 QUIT - 240
00:03:26 66.63.180.15 - - 0
00:03:26 66.63.180.15 QUIT - 0
00:04:05 200.125.91.12 HELO - 250
00:04:05 200.125.91.12 MAIL - 250
00:04:05 200.125.91.12 RCPT - 250
00:04:06 200.125.91.12 DATA - 250
00:04:06 200.125.91.12 QUIT - 240
00:04:33 201.254.67.222 QUIT - 240
00:04:45 62.142.5.27 - - 0
00:04:55 212.160.59.88 HELO - 250
00:04:57 212.160.59.88 MAIL - 250
00:04:59 212.160.59.88 RCPT - 250
00:05:01 200.154.55.242 - - 0
00:05:01 212.160.59.88 RCPT - 250
00:05:04 212.160.59.88 RCPT - 250
00:05:06 212.160.59.88 RCPT - 250
00:05:12 212.160.59.88 RCPT - 250
00:05:15 212.160.59.88 RCPT - 250
00:05:17 212.160.59.88 RCPT - 250
00:05:20 212.160.59.88 RCPT - 250
00:05:26 212.160.59.88 DATA - 250
00:05:29 212.160.59.88 MAIL - 250
00:05:31 212.160.59.88 RCPT - 250
00:05:33 212.160.59.88 RCPT - 250
00:05:35 212.160.59.88 RCPT - 250
00:05:37 212.160.59.88 RCPT - 250
00:05:39 212.160.59.88 RCPT - 250
00:05:45 212.160.59.88 DATA - 250
00:05:49 212.160.59.88 QUIT - 240
00:06:36 218.214.67.62 EHLO - 250
00:06:36 218.214.67.62 MAIL - 250
00:06:36 218.214.67.62 RCPT - 250
00:06:36 218.214.67.62 xexch50 - 504
00:06:38 218.214.67.62 BDAT - 250
00:06:38 218.214.67.62 QUIT - 240
00:09:17 209.73.178.149 HELO - 250
00:09:17 209.73.178.149 MAIL - 250
00:09:17 209.73.178.149 RCPT - 250
00:09:17 209.73.178.149 DATA - 250
00:09:17 209.73.178.149 QUIT - 240
00:09:47 210.245.94.189 HELO - 250
00:09:47 210.245.94.189 MAIL - 250
00:09:47 210.245.94.189 RCPT - 250
00:09:48 210.245.94.189 DATA - 250
00:09:48 210.245.94.189 QUIT - 240
00:10:03 211.171.2.141 HELO - 250
00:10:03 211.171.2.141 MAIL - 250
00:10:03 211.171.2.141 RCPT - 250
00:10:05 211.171.2.141 DATA - 250
00:10:05 211.171.2.141 QUIT - 240
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 EHLO - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 MAIL - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 RCPT - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.6 RSET - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 EHLO - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 MAIL - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RCPT - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RSET - 0
00:10:51 202.147.57.8 - - 0
00:11:57 208.130.131.53 EHLO - 250
00:11:57 208.130.131.53 MAIL - 250
00:11:57 208.130.131.53 RCPT - 250
00:11:59 208.130.131.53 DATA - 250
00:11:59 208.130.131.53 QUIT - 240
00:20:37 66.218.66.46 HELO - 250
00:20:37 66.218.66.46 MAIL - 250
00:20:37 66.218.66.46 RCPT - 250
00:20:37 66.218.66.46 DATA - 250
00:20:38 66.218.66.46 QUIT - 240
00:21:39 64.156.132.246 EHLO - 250
00:21:39 64.156.132.246 MAIL - 250
00:21:39 64.156.132.246 RCPT - 250
00:21:39 64.156.132.246 DATA - 250
00:21:39 64.156.132.246 QUIT - 240
00:21:55 71.97.9.99 EHLO - 250
00:21:55 71.97.9.99 MAIL - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 DATA - 250
00:21:56 71.97.9.99 MAIL - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 DATA - 250
00:21:58 71.97.9.99 MAIL - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:59 71.97.9.99 DATA - 250
00:21:59 71.97.9.99 MAIL - 250
00:21:59 71.97.9.99 RCPT - 250
00:22:00 71.97.9.99 DATA - 250
00:22:00 71.97.9.99 QUIT - 240
00:23:21 66.120.131.130 HELO - 250
00:23:23 66.120.131.130 MAIL - 250
00:23:23 66.120.131.130 RCPT - 250
00:23:30 66.120.131.130 DATA - 250
00:23:31 66.120.131.130 QUIT - 240
00:23:47 8.10.16.238 HELO - 250
00:23:47 8.10.16.238 MAIL - 250
00:23:47 8.10.16.238 RCPT - 250
00:23:47 8.10.16.238 DATA - 250
00:23:52 8.10.16.238 QUIT - 240
00:24:07 210.16.194.247 HELO - 250
00:24:07 210.16.194.247 MAIL - 250
00:24:07 210.16.194.247 RCPT - 250
00:24:11 210.16.194.247 DATA - 250
00:24:11 210.16.194.247 QUIT - 240
00:25:37 216.139.147.19 HELO - 250
00:25:37 216.139.147.19 MAIL - 250
00:25:37 216.139.147.19 RCPT - 250
00:25:37 216.139.147.19 DATA - 250
00:25:37 216.139.147.19 QUIT - 240
00:25:52 67.141.109.191 HELO - 250
00:25:52 67.141.109.191 MAIL - 250
00:25:54 67.141.109.191 RCPT - 250
00:25:54 67.141.109.191 DATA - 250
00:25:55 67.141.109.191 QUIT - 240
00:26:30 24.79.93.62 HELO - 250
00:26:30 24.79.93.62 MAIL - 250
00:26:30 24.79.93.62 RCPT - 250
00:26:30 24.79.93.62 DATA - 250
00:26:30 24.79.93.62 QUIT - 240
00:26:34 70.35.138.156 HELO - 250
00:26:34 70.35.138.156 MAIL - 250
00:26:34 70.35.138.156 RCPT - 250
00:26:35 70.35.138.156 DATA - 250
00:26:37 70.35.138.156 QUIT - 240
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ahhh yes, i am helping you on the virus thing in another question
go to
http://scan.sygate.com
and do a complete scan to make sure there is nothing open there (that shouldnt be)
i dont know of any free open relay tests, but as you suggested in the other question, shutting down SMTP may be a good idea until you get access to it
-red
go to
http://scan.sygate.com
and do a complete scan to make sure there is nothing open there (that shouldnt be)
i dont know of any free open relay tests, but as you suggested in the other question, shutting down SMTP may be a good idea until you get access to it
-red
ASKER
So the log simply reflects mail coming in like it's supposed to? You see nothing strange that might point to the unsolicited bounces?
how long is a piece of string, it is totally open to interpretation.
looking at it again, there is definately the possiblilty of you being an open relay
you have 2 servers that connect and send to multiple recipients (71.97.9.99 and 212.160.59.88)
checking those, neither are listed as relays, but the first one is a dsl account (not a good sign) and the second one is from poland (also not a good sign unless you work with that country)
go to www.ordb.org and list yourself to be tested as an open relay
-red
looking at it again, there is definately the possiblilty of you being an open relay
you have 2 servers that connect and send to multiple recipients (71.97.9.99 and 212.160.59.88)
checking those, neither are listed as relays, but the first one is a dsl account (not a good sign) and the second one is from poland (also not a good sign unless you work with that country)
go to www.ordb.org and list yourself to be tested as an open relay
-red
ASKER
This is what sygate replied with. Look ok?
This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.
Trying to gather information from your web browser...
Operating System = Windows 2000
Browser = Microsoft Internet Explorer 6.0
Trying to find out your computer name...
Unable to determine your computer name!
Trying to find out what services you are running...
FTP Server Open = 220 win2kserver Microsoft FTP Service (Version 5.0).
POP3 Mail Server Found = +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (win2kserver.crpoe.com) ready.
SMTP Mail Server Found = 220 win2kserver.crpoe.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Wed, 6 Jul 2005 20:01:39 -0500
This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.
Trying to gather information from your web browser...
Operating System = Windows 2000
Browser = Microsoft Internet Explorer 6.0
Trying to find out your computer name...
Unable to determine your computer name!
Trying to find out what services you are running...
FTP Server Open = 220 win2kserver Microsoft FTP Service (Version 5.0).
POP3 Mail Server Found = +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (win2kserver.crpoe.com) ready.
SMTP Mail Server Found = 220 win2kserver.crpoe.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Wed, 6 Jul 2005 20:01:39 -0500
ASKER
Does it look like those two referenced earlier were successful in sending mail from my server?
you are not an open relay (thankfully)
so that is at least some good news, i doubt that people were sending from your mailserver
-red
so that is at least some good news, i doubt that people were sending from your mailserver
-red
ASKER
I had tested for that some time back. I think the Exchange box in the DMZ didn't help.
how recently did you discover that the box was in the DMZ?
if it was only very recently, and this is what caused the issue, shut her down, she will be chock full of virii
(other readers please note, this question is closely related to https://www.experts-exchange.com/questions/21482785/Windows-2003-server-and-virus-infection.html)
-red
if it was only very recently, and this is what caused the issue, shut her down, she will be chock full of virii
(other readers please note, this question is closely related to https://www.experts-exchange.com/questions/21482785/Windows-2003-server-and-virus-infection.html)
-red
ASKER
I noticed just today after RR sent me the e-mail that started me looking. It IS full of viruses. TrendMicro cleaned off 37 or them and I'm scanning again to be sure.
ASKER
And since we're on the subject...any thoughts on the system.rar folders I mentioned?
i expect they will be hidden, safe mode should show them tho
and it is best to try and keep each question specific to what it is about, other people may read this in the future for a solution and it would be far easier for them to read 1 question instead of 5
-red
and it is best to try and keep each question specific to what it is about, other people may read this in the future for a solution and it would be far easier for them to read 1 question instead of 5
-red
ASKER
You're right...it's just you so FULL of useful information...and you answer so quickly. I think I'll close this one.
i will be just as full of information on the other questions that you have :)
ASKER
well, there are still two open....
:)
Trendmicro cleaned all but one. looks like I'll have to be behind the server to get it out in safe mode.
:)
Trendmicro cleaned all but one. looks like I'll have to be behind the server to get it out in safe mode.
safe mode is the most effective way anyway
trendmicro is good, but no-where near as good as a skilled technician in safe mode
thanks for the A grade
-red
trendmicro is good, but no-where near as good as a skilled technician in safe mode
thanks for the A grade
-red
ASKER
Thanks for the help. I drove over (assuming you meant me when you referred to a skilled technician) and rebooted in safe mode and cleaned off that last pesky one. I'll monitor it to see how it does over the next day or so. Also, since the 2K3 box has a public IP, I think I'll drop a router in front of it and hide it some.
ASKER