Interpreting Exchange 2K SMTP log

Please help me understand how to read this log and tell me if it looks normal or not?

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2005-07-07 00:01:33
#Fields: time c-ip cs-method cs-uri-stem sc-status
 0:01:33 64.156.132.246 EHLO - 250
00:01:33 64.156.132.246 MAIL - 250
00:01:33 64.156.132.246 RCPT - 250
00:01:36 64.156.132.246 DATA - 250
00:01:36 64.156.132.246 QUIT - 240
00:02:52 61.81.187.72 HELO - 250
00:02:52 61.81.187.72 MAIL - 250
00:02:52 61.81.187.72 RCPT - 250
00:02:55 61.81.187.72 DATA - 250
00:02:55 61.81.187.72 QUIT - 240
00:03:26 66.63.180.15 - - 0
00:03:26 66.63.180.15 QUIT - 0
00:04:05 200.125.91.12 HELO - 250
00:04:05 200.125.91.12 MAIL - 250
00:04:05 200.125.91.12 RCPT - 250
00:04:06 200.125.91.12 DATA - 250
00:04:06 200.125.91.12 QUIT - 240
00:04:33 201.254.67.222 QUIT - 240
00:04:45 62.142.5.27 - - 0
00:04:55 212.160.59.88 HELO - 250
00:04:57 212.160.59.88 MAIL - 250
00:04:59 212.160.59.88 RCPT - 250
00:05:01 200.154.55.242 - - 0
00:05:01 212.160.59.88 RCPT - 250
00:05:04 212.160.59.88 RCPT - 250
00:05:06 212.160.59.88 RCPT - 250
00:05:12 212.160.59.88 RCPT - 250
00:05:15 212.160.59.88 RCPT - 250
00:05:17 212.160.59.88 RCPT - 250
00:05:20 212.160.59.88 RCPT - 250
00:05:26 212.160.59.88 DATA - 250
00:05:29 212.160.59.88 MAIL - 250
00:05:31 212.160.59.88 RCPT - 250
00:05:33 212.160.59.88 RCPT - 250
00:05:35 212.160.59.88 RCPT - 250
00:05:37 212.160.59.88 RCPT - 250
00:05:39 212.160.59.88 RCPT - 250
00:05:45 212.160.59.88 DATA - 250
00:05:49 212.160.59.88 QUIT - 240
00:06:36 218.214.67.62 EHLO - 250
00:06:36 218.214.67.62 MAIL - 250
00:06:36 218.214.67.62 RCPT - 250
00:06:36 218.214.67.62 xexch50 - 504
00:06:38 218.214.67.62 BDAT - 250
00:06:38 218.214.67.62 QUIT - 240
00:09:17 209.73.178.149 HELO - 250
00:09:17 209.73.178.149 MAIL - 250
00:09:17 209.73.178.149 RCPT - 250
00:09:17 209.73.178.149 DATA - 250
00:09:17 209.73.178.149 QUIT - 240
00:09:47 210.245.94.189 HELO - 250
00:09:47 210.245.94.189 MAIL - 250
00:09:47 210.245.94.189 RCPT - 250
00:09:48 210.245.94.189 DATA - 250
00:09:48 210.245.94.189 QUIT - 240
00:10:03 211.171.2.141 HELO - 250
00:10:03 211.171.2.141 MAIL - 250
00:10:03 211.171.2.141 RCPT - 250
00:10:05 211.171.2.141 DATA - 250
00:10:05 211.171.2.141 QUIT - 240
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 EHLO - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 MAIL - 0
00:10:45 202.147.57.6 - - 0
00:10:45 202.147.57.6 RCPT - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.6 RSET - 0
00:10:50 202.147.57.6 - - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 EHLO - 0
00:10:50 202.147.57.8 - - 0
00:10:50 202.147.57.8 MAIL - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RCPT - 0
00:10:51 202.147.57.8 - - 0
00:10:51 202.147.57.8 RSET - 0
00:10:51 202.147.57.8 - - 0
00:11:57 208.130.131.53 EHLO - 250
00:11:57 208.130.131.53 MAIL - 250
00:11:57 208.130.131.53 RCPT - 250
00:11:59 208.130.131.53 DATA - 250
00:11:59 208.130.131.53 QUIT - 240
00:20:37 66.218.66.46 HELO - 250
00:20:37 66.218.66.46 MAIL - 250
00:20:37 66.218.66.46 RCPT - 250
00:20:37 66.218.66.46 DATA - 250
00:20:38 66.218.66.46 QUIT - 240
00:21:39 64.156.132.246 EHLO - 250
00:21:39 64.156.132.246 MAIL - 250
00:21:39 64.156.132.246 RCPT - 250
00:21:39 64.156.132.246 DATA - 250
00:21:39 64.156.132.246 QUIT - 240
00:21:55 71.97.9.99 EHLO - 250
00:21:55 71.97.9.99 MAIL - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:55 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 DATA - 250
00:21:56 71.97.9.99 MAIL - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:56 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 DATA - 250
00:21:58 71.97.9.99 MAIL - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:58 71.97.9.99 RCPT - 250
00:21:59 71.97.9.99 DATA - 250
00:21:59 71.97.9.99 MAIL - 250
00:21:59 71.97.9.99 RCPT - 250
00:22:00 71.97.9.99 DATA - 250
00:22:00 71.97.9.99 QUIT - 240
00:23:21 66.120.131.130 HELO - 250
00:23:23 66.120.131.130 MAIL - 250
00:23:23 66.120.131.130 RCPT - 250
00:23:30 66.120.131.130 DATA - 250
00:23:31 66.120.131.130 QUIT - 240
00:23:47 8.10.16.238 HELO - 250
00:23:47 8.10.16.238 MAIL - 250
00:23:47 8.10.16.238 RCPT - 250
00:23:47 8.10.16.238 DATA - 250
00:23:52 8.10.16.238 QUIT - 240
00:24:07 210.16.194.247 HELO - 250
00:24:07 210.16.194.247 MAIL - 250
00:24:07 210.16.194.247 RCPT - 250
00:24:11 210.16.194.247 DATA - 250
00:24:11 210.16.194.247 QUIT - 240
00:25:37 216.139.147.19 HELO - 250
00:25:37 216.139.147.19 MAIL - 250
00:25:37 216.139.147.19 RCPT - 250
00:25:37 216.139.147.19 DATA - 250
00:25:37 216.139.147.19 QUIT - 240
00:25:52 67.141.109.191 HELO - 250
00:25:52 67.141.109.191 MAIL - 250
00:25:54 67.141.109.191 RCPT - 250
00:25:54 67.141.109.191 DATA - 250
00:25:55 67.141.109.191 QUIT - 240
00:26:30 24.79.93.62 HELO - 250
00:26:30 24.79.93.62 MAIL - 250
00:26:30 24.79.93.62 RCPT - 250
00:26:30 24.79.93.62 DATA - 250
00:26:30 24.79.93.62 QUIT - 240
00:26:34 70.35.138.156 HELO - 250
00:26:34 70.35.138.156 MAIL - 250
00:26:34 70.35.138.156 RCPT - 250
00:26:35 70.35.138.156 DATA - 250
00:26:37 70.35.138.156 QUIT - 240
crp0499CEOAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

redseatechnologiesCommented:
Hi crp0499,

AT                 This Machine            Connected      Your server said OK
00:01:33      64.156.132.246      EHLO -           250

Their server said who the mail is from
00:01:33 64.156.132.246 MAIL - 250

who it is going to
00:01:33 64.156.132.246 RCPT - 250

what is in it
00:01:36 64.156.132.246 DATA - 250

and then left
00:01:36 64.156.132.246 QUIT - 240 (240 = Bye)

it looks ok, you did receive a big email to multiple recipients from 212.160.59.88 (look for it, multiple RCPT commands)

was there something specific that concerned you?

hope that helps

-red

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
crp0499CEOAuthor Commented:
Thanks Red for the reply.  I got an e-mail from RR today telling me there were some complaints about my IP...something about unsolicited bounce and they told me to clean it up.  I was looking at the log making sure nothing fishy was going on.  I'm also scanning for viruses too.
redseatechnologiesCommented:
ahhh yes, i am helping you on the virus thing in another question

go to

http://scan.sygate.com

and do a complete scan to make sure there is nothing open there (that shouldnt be)

i dont know of any free open relay tests, but as you suggested in the other question, shutting down SMTP may be a good idea until you get access to it

-red
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

crp0499CEOAuthor Commented:
So the log simply reflects mail coming in like it's supposed to?  You see nothing strange that might point to the unsolicited bounces?
redseatechnologiesCommented:
how long is a piece of string, it is totally open to interpretation.

looking at it again, there is definately the possiblilty of you being an open relay

you have 2 servers that connect and send to multiple recipients (71.97.9.99 and 212.160.59.88)

checking those, neither are listed as relays, but the first one is a dsl account (not a good sign) and the second one is from poland (also not a good sign unless you work with that country)

go to www.ordb.org and list yourself to be tested as an open relay

-red
crp0499CEOAuthor Commented:
This is what sygate replied with.  Look ok?

This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.
 


Trying to gather information from your web browser...
 
Operating System = Windows 2000
Browser = Microsoft Internet Explorer 6.0

Trying to find out your computer name...
 
Unable to determine your computer name!
 

Trying to find out what services you are running...
 
FTP Server Open = 220 win2kserver Microsoft FTP Service (Version 5.0).  
POP3 Mail Server Found = +OK Microsoft Exchange 2000 POP3 server version 6.0.6249.0 (win2kserver.crpoe.com) ready.  
SMTP Mail Server Found = 220 win2kserver.crpoe.com Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Wed, 6 Jul 2005 20:01:39 -0500  
crp0499CEOAuthor Commented:
Does it look like those two referenced earlier were successful in sending mail from my server?
redseatechnologiesCommented:
you are not an open relay (thankfully)

so that is at least some good news, i doubt that people were sending from your mailserver

-red
crp0499CEOAuthor Commented:
I had tested for that some time back.  I think the Exchange box in the DMZ didn't help.
redseatechnologiesCommented:
how recently did you discover that the box was in the DMZ?

if it was only very recently, and this is what caused the issue, shut her down, she will be chock full of virii

(other readers please note, this question is closely related to http://www.experts-exchange.com/Operating_Systems/Win2000/Q_21482785.html)

-red
crp0499CEOAuthor Commented:
I noticed just today after RR sent me the e-mail that started me looking.  It IS full of viruses.  TrendMicro cleaned off 37 or them and I'm scanning again to be sure.
crp0499CEOAuthor Commented:
And since we're on the subject...any thoughts on the system.rar folders I mentioned?
redseatechnologiesCommented:
i expect they will be hidden, safe mode should show them tho

and it is best to try and keep each question specific to what it is about, other people may read this in the future for a solution and it would be far easier for them to read 1 question instead of 5

-red
crp0499CEOAuthor Commented:
You're right...it's just you so FULL of useful information...and you answer so quickly.  I think I'll close this one.
redseatechnologiesCommented:
i will be just as full of information on the other questions that you have :)
crp0499CEOAuthor Commented:
well, there are still two open....
:)

Trendmicro cleaned all but one.  looks like I'll have to be behind the server to get it out in safe mode.
redseatechnologiesCommented:
safe mode is the most effective way anyway

trendmicro is good, but no-where near as good as a skilled technician in safe mode

thanks for the A grade

-red
crp0499CEOAuthor Commented:
Thanks for the help.  I drove over (assuming you meant me when you referred to a skilled technician) and rebooted in safe mode and cleaned off that last pesky one.  I'll monitor it to see how it does over the next day or so.  Also, since the 2K3 box has a public IP, I think I'll drop a router in front of it and hide it some.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.