Link to home
Start Free TrialLog in
Avatar of ITGeneral
ITGeneral

asked on

Exchange 2010 SPAM email - open relay?

I received an email from a contractor the other day who is concerned about SPAM that he is receiving from our mail server. Below is the header info from the email - is anyone able to figure out how this email is getting generated? We do have a couple of Receive Connectors that don't use authentication because it is for equipment that is not on our domain (and impossible to get to from the outside unless you are VPN'd into it) so it allows anonymous users to send notifications out - however I do have network specific networks specified from which the mail server should only be allowing relaying from. My concern is that somehow someone is able to get through my ASA and generate emails using this connector.

Testing for open relays has shown that I have none but I'm particularly concerned about this vulnerability.Return of the open relays We are running an ASA security appliance.

Received: from Brockman.shec.com (216.223.90.70) by
remote.remotecontractor.ca (192.168.1.10) with Microsoft SMTP Server id
14.1.438.0; Fri, 25 Jul 2014 03:42:09 -0400
Resent-From: <scada@sudburyhydro.com>
Received: from host-49-130.pool.intred.it (62.97.49.130) by Brockman.shec.com
(10.1.1.4) with Microsoft SMTP Server id 14.2.347.0; Fri, 25 Jul 2014
03:42:05 -0400
Received: from [10.0.0.114] ([10.0.0.114:9746]
helo=host-49-130.pool.intred.it)              by 8C43899A (envelope-from
<scada6196@intred.it>)               (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
                id 4F/5E-05BAA-0AC46313; Fri, 25 Jul 2014 09:42:03 +0200
Date: Fri, 25 Jul 2014 09:42:02 +0200
From: NewSlimBody Daily <scada6196@intred.it>
Sender: <scada6196@intred.it>
To: <scada@sudburyhydro.com>
Message-ID: <9367794711.7738299520350196947.JavaMail.root@host-49-130.pool.intred.it>
Subject: Keeping fit is nothing special now!
Errors-To: scada6196@intred.it
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_Part_80294_3251653292.9842774491692"
List-Unsubscribe: <https://intred.it/app/optOut/noConfirm/471666848/f92c7a48c7d205b5fd>
Return-Path: scada6196@intred.it
X-TM-AS-Product-Ver: SMEX-11.1.0.1239-7.500.1018-20838.000
X-TM-AS-Result: Yes-73.039900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-MS-Exchange-Organization-AuthSource: CASVR1.costelloassoc.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: sudburyhydro.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (CASVR1.costelloassoc.local: scada@sudburyhydro.com does
not designate permitted sender hosts)
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13306.465;SID:SenderIDStatus None;OrigIP:216.223.90.70

Open in new window

Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Doesn't have to be an open relay.
The most likely cause is authenticated relay. One of your accounts has been compromised and is being abused. Logging on the Receive Connectors and the Exchange server itself (Security log) may well show the target account. Administrator is the usual one they go after unless a phishing email was successful.

Simon.
Avatar of ITGeneral
ITGeneral

ASKER

Well, not sure if this helps or not but something is definitely up. I'm looking at the queue viewer and there's tons of messages sitting in the queue. From address is just "<>" most messages are showing 400 4.4.7 Message Delayed error. Looking at the Messages queue its quite obvious that its spam.

Are you aware of any good articles that detail how to track down the source?

I should note as well that AntiSpam is turned on and I have enabled the "Block messages sent to recipients that do not exist in the directory" option.
Sorry for the double post - for some reason can't edit. Anyway read another thread that you helped out on here:

https://www.experts-exchange.com/questions/28401472/Is-my-server-sending-SPAM.html

So that sounds like normal? traffic. I've got like probably a few hundred messages sitting in various "queues" all with the 451 4.4.0 Primary target IP address responded with: 421 4.2.1 unable to connect...."

To be honest I'm not real concerned about these ones I don't think as at least they're still stuck in queues. The original message is still my biggest concern as it actually went out.
If the messages are < > then those are NDRs.

Is Exchange your primary delivery point? Do your MX records point directly at Exchange?

Simon.
Yes they do.

Considering the recipient filtering I've got set though should it not be dropping anything that is not listed in my address book?

An example of one of the queues
User generated image
Example message
User generated image
Why not test it yourself using telnet?
If you telnet in to your server and attempt to send to an address you don't have, it should throw it back. If it accepts the message then recipient filtering isn't working.

Simon.
Ok so I logged in via telnet and I get unable to relay.

Checked the default receive connector that I turned up verbose logging on and found a lot of this kind of thing:

2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,3,10.1.1.4:25,77.234.230.227:1409,<,EHLO ppp-77-234-230-227.dsidata.sk,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,4,10.1.1.4:25,77.234.230.227:1409,>,250-Brockman.shec.com Hello [77.234.230.227],
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,5,10.1.1.4:25,77.234.230.227:1409,>,250-SIZE,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,6,10.1.1.4:25,77.234.230.227:1409,>,250-PIPELINING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,7,10.1.1.4:25,77.234.230.227:1409,>,250-DSN,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,8,10.1.1.4:25,77.234.230.227:1409,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,9,10.1.1.4:25,77.234.230.227:1409,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,10,10.1.1.4:25,77.234.230.227:1409,>,250-AUTH NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,11,10.1.1.4:25,77.234.230.227:1409,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,12,10.1.1.4:25,77.234.230.227:1409,>,250-8BITMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,13,10.1.1.4:25,77.234.230.227:1409,>,250-BINARYMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,14,10.1.1.4:25,77.234.230.227:1409,>,250-CHUNKING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,15,10.1.1.4:25,77.234.230.227:1409,>,250-XEXCH50,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,16,10.1.1.4:25,77.234.230.227:1409,>,250-XRDST,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,17,10.1.1.4:25,77.234.230.227:1409,>,250 XSHADOW,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,18,10.1.1.4:25,77.234.230.227:1409,<,MAIL FROM:<ldeadbb32@ppp-77-234-230-227.dsidata.sk>,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,19,10.1.1.4:25,77.234.230.227:1409,*,08D16F6AD428365C;2014-08-01T18:53:14.080Z;1,receiving message
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,20,10.1.1.4:25,77.234.230.227:1409,<,RCPT TO:<ldead@shec.com>,
2014-08-01T18:53:14.470Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,21,10.1.1.4:25,77.234.230.227:1409,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,22,10.1.1.4:25,67.211.119.59:63340,>,250 2.1.0 Sender OK,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,23,10.1.1.4:25,67.211.119.59:63340,>,550 5.7.1 Your email messages have been blocked by the recipient OR by Trend Micro Email Reputation Service. Contact the recipient or his/her administrator using alternate means to resolve the issue.,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,24,10.1.1.4:25,67.211.119.59:63340,<,DATA,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,25,10.1.1.4:25,67.211.119.59:63340,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,0,10.1.1.4:25,190.190.5.41:3884,+,,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,1,10.1.1.4:25,190.190.5.41:3884,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,2,10.1.1.4:25,190.190.5.41:3884,>,220 mail.gsuinc.ca,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,26,10.1.1.4:25,216.136.68.30:37379,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,27,10.1.1.4:25,216.136.68.30:37379,<,QUIT,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,28,10.1.1.4:25,216.136.68.30:37379,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,29,10.1.1.4:25,216.136.68.30:37379,-,,Local
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,3,10.1.1.4:25,190.190.5.41:3884,<,EHLO 41-5-190-190.cab.prima.net.ar,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,4,10.1.1.4:25,190.190.5.41:3884,>,250-Brockman.shec.com Hello [190.190.5.41],
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,5,10.1.1.4:25,190.190.5.41:3884,>,250-SIZE,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,6,10.1.1.4:25,190.190.5.41:3884,>,250-PIPELINING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,7,10.1.1.4:25,190.190.5.41:3884,>,250-DSN,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,8,10.1.1.4:25,190.190.5.41:3884,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,9,10.1.1.4:25,190.190.5.41:3884,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,10,10.1.1.4:25,190.190.5.41:3884,>,250-AUTH NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,11,10.1.1.4:25,190.190.5.41:3884,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,12,10.1.1.4:25,190.190.5.41:3884,>,250-8BITMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,13,10.1.1.4:25,190.190.5.41:3884,>,250-BINARYMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,14,10.1.1.4:25,190.190.5.41:3884,>,250-CHUNKING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,15,10.1.1.4:25,190.190.5.41:3884,>,250-XEXCH50,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,16,10.1.1.4:25,190.190.5.41:3884,>,250-XRDST,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,17,10.1.1.4:25,190.190.5.41:3884,>,250 XSHADOW,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,26,10.1.1.4:25,85.182.202.114:18178,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,27,10.1.1.4:25,85.182.202.114:18178,<,QUIT,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,28,10.1.1.4:25,85.182.202.114:18178,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,29,10.1.1.4:25,85.182.202.114:18178,-,,Local
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,18,10.1.1.4:25,190.190.5.41:3884,<,MAIL FROM:<reid3a7c@1kmiles.com>,
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,19,10.1.1.4:25,190.190.5.41:3884,*,08D16F6AD428365F;2014-08-01T18:53:14.517Z;1,receiving message
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,20,10.1.1.4:25,190.190.5.41:3884,<,RCPT TO:<reid@shec.com>,
2014-08-01T18:53:15.016Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,21,10.1.1.4:25,190.190.5.41:3884,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,26,10.1.1.4:25,90.164.125.140:53284,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,27,10.1.1.4:25,90.164.125.140:53284,<,QUIT,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,28,10.1.1.4:25,90.164.125.140:53284,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,29,10.1.1.4:25,90.164.125.140:53284,-,,Local
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,3,10.1.1.4:25,2.190.129.124:51312,<,EHLO [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,4,10.1.1.4:25,2.190.129.124:51312,>,250-Brockman.shec.com Hello [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,5,10.1.1.4:25,2.190.129.124:51312,>,250-SIZE,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,6,10.1.1.4:25,2.190.129.124:51312,>,250-PIPELINING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,7,10.1.1.4:25,2.190.129.124:51312,>,250-DSN,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,8,10.1.1.4:25,2.190.129.124:51312,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,9,10.1.1.4:25,2.190.129.124:51312,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,10,10.1.1.4:25,2.190.129.124:51312,>,250-AUTH NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,11,10.1.1.4:25,2.190.129.124:51312,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,12,10.1.1.4:25,2.190.129.124:51312,>,250-8BITMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,13,10.1.1.4:25,2.190.129.124:51312,>,250-BINARYMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,14,10.1.1.4:25,2.190.129.124:51312,>,250-CHUNKING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,15,10.1.1.4:25,2.190.129.124:51312,>,250-XEXCH50,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,16,10.1.1.4:25,2.190.129.124:51312,>,250-XRDST,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,17,10.1.1.4:25,2.190.129.124:51312,>,250 XSHADOW,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,0,10.1.1.4:25,190.193.130.213:51326,+,,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,1,10.1.1.4:25,190.193.130.213:51326,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,2,10.1.1.4:25,190.193.130.213:51326,>,220 mail.gsuinc.ca,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,3,10.1.1.4:25,190.193.130.213:51326,<,EHLO 213-130-193-190.cab.prima.net.ar,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,4,10.1.1.4:25,190.193.130.213:51326,>,250-Brockman.shec.com Hello [190.193.130.213],
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,5,10.1.1.4:25,190.193.130.213:51326,>,250-SIZE,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,6,10.1.1.4:25,190.193.130.213:51326,>,250-PIPELINING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,7,10.1.1.4:25,190.193.130.213:51326,>,250-DSN,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,8,10.1.1.4:25,190.193.130.213:51326,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,9,10.1.1.4:25,190.193.130.213:51326,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,10,10.1.1.4:25,190.193.130.213:51326,>,250-AUTH NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,11,10.1.1.4:25,190.193.130.213:51326,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,12,10.1.1.4:25,190.193.130.213:51326,>,250-8BITMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,13,10.1.1.4:25,190.193.130.213:51326,>,250-BINARYMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,14,10.1.1.4:25,190.193.130.213:51326,>,250-CHUNKING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,15,10.1.1.4:25,190.193.130.213:51326,>,250-XEXCH50,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,16,10.1.1.4:25,190.193.130.213:51326,>,250-XRDST,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,17,10.1.1.4:25,190.193.130.213:51326,>,250 XSHADOW,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,18,10.1.1.4:25,190.193.130.213:51326,<,MAIL FROM:<brenden.fleming2428@andresgonzalez.net>,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,19,10.1.1.4:25,190.193.130.213:51326,*,08D16F6AD4283660;2014-08-01T18:53:16.560Z;1,receiving message
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,20,10.1.1.4:25,190.193.130.213:51326,<,RCPT TO:<brenden.fleming@athomeenergy.ca>,
2014-08-01T18:53:17.028Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,21,10.1.1.4:25,190.193.130.213:51326,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,26,10.1.1.4:25,109.192.179.164:46942,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,27,10.1.1.4:25,109.192.179.164:46942,<,QUIT,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,28,10.1.1.4:25,109.192.179.164:46942,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,29,10.1.1.4:25,109.192.179.164:46942,-,,Local
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,26,10.1.1.4:25,84.124.149.101:59320,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,27,10.1.1.4:25,84.124.149.101:59320,<,QUIT,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,28,10.1.1.4:25,84.124.149.101:59320,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,29,10.1.1.4:25,84.124.149.101:59320,-,,Local
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,18,10.1.1.4:25,2.190.129.124:51312,<,MAIL FROM:<ryan.vareyd@kbruce.com>,
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,19,10.1.1.4:25,2.190.129.124:51312,*,08D16F6AD4283651;2014-08-01T18:53:11.989Z;1,receiving message
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,20,10.1.1.4:25,2.190.129.124:51312,<,RCPT TO:<ryan.varey@sudburyhydro.com>,
2014-08-01T18:53:17.761Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,21,10.1.1.4:25,2.190.129.124:51312,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,0,10.1.1.4:25,62.197.74.235:65307,+,,
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,1,10.1.1.4:25,62.197.74.235:65307,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,2,10.1.1.4:25,62.197.74.235:65307,>,220 mail.gsuinc.ca,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,3,10.1.1.4:25,62.197.74.235:65307,<,EHLO 62-197-74-235.teledisnet.be,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,4,10.1.1.4:25,62.197.74.235:65307,>,250-Brockman.shec.com Hello [62.197.74.235],
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,5,10.1.1.4:25,62.197.74.235:65307,>,250-SIZE,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,6,10.1.1.4:25,62.197.74.235:65307,>,250-PIPELINING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,7,10.1.1.4:25,62.197.74.235:65307,>,250-DSN,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,8,10.1.1.4:25,62.197.74.235:65307,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,9,10.1.1.4:25,62.197.74.235:65307,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,10,10.1.1.4:25,62.197.74.235:65307,>,250-AUTH NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,11,10.1.1.4:25,62.197.74.235:65307,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,12,10.1.1.4:25,62.197.74.235:65307,>,250-8BITMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,13,10.1.1.4:25,62.197.74.235:65307,>,250-BINARYMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,14,10.1.1.4:25,62.197.74.235:65307,>,250-CHUNKING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,15,10.1.1.4:25,62.197.74.235:65307,>,250-XEXCH50,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,16,10.1.1.4:25,62.197.74.235:65307,>,250-XRDST,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,17,10.1.1.4:25,62.197.74.235:65307,>,250 XSHADOW,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,18,10.1.1.4:25,62.197.74.235:65307,<,MAIL FROM:<northerncome@62-197-74-235.teledisnet.be>,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,19,10.1.1.4:25,62.197.74.235:65307,*,08D16F6AD4283662;2014-08-01T18:53:18.073Z;1,receiving message
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,20,10.1.1.4:25,62.197.74.235:65307,<,RCPT TO:<northerncom@shec.com>,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,21,10.1.1.4:25,62.197.74.235:65307,<,DATA,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,22,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.0 Sender OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,23,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.5 Recipient OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,24,10.1.1.4:25,62.197.74.235:65307,>,354 Start mail input; end with <CRLF>.<CRLF>,

Open in new window


I should note that none of the names/email addresses in there are actually legit (at least not the ones that appear to be from our domain). I'm thinking removing anonymous from that receive connector might help things a bit.

And some of the traffic being captured by the Send connector

2014-08-01T20:02:20.348Z,Internet Mail(2010),08D16F6AD4285FCB,1,10.1.1.32:20982,68.171.217.250:25,+,,
2014-08-01T20:02:20.441Z,Internet Mail(2010),08D16F6AD4285FCC,1,10.1.1.32:20981,37.156.33.28:25,+,,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,2,10.1.1.32:20982,68.171.217.250:25,<,"220-yesod.webnetnspire.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 21:02:21 +0100 ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,3,10.1.1.32:20982,68.171.217.250:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,4,10.1.1.32:20982,68.171.217.250:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,5,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,6,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,7,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,8,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,9,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,10,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,11,10.1.1.32:20982,68.171.217.250:25,<,250-STARTTLS,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,12,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,13,10.1.1.32:20982,68.171.217.250:25,>,STARTTLS,
2014-08-01T20:02:20.550Z,Internet Mail(2010),08D16F6AD4285FCD,0,,62.197.102.4:25,*,,attempting to connect
2014-08-01T20:02:20.566Z,Internet Mail(2010),08D16F6AD4285FCB,14,10.1.1.32:20982,68.171.217.250:25,<,220 TLS go ahead,
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,15,10.1.1.32:20982,68.171.217.250:25,*,,Received certificate
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,16,10.1.1.32:20982,68.171.217.250:25,*,4B9A7560F2FF65D6FF927A37897CA3BD9626042F,Certificate thumbprint
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,17,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,2,10.1.1.32:20981,37.156.33.28:25,<,220 mail.myspacebox.ro ESMTP Postfix,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,3,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,18,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,19,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,20,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,21,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,22,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,23,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,24,10.1.1.32:20982,68.171.217.250:25,*,1467688,sending message
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,25,10.1.1.32:20982,68.171.217.250:25,>,MAIL FROM:<> SIZE=11044,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,26,10.1.1.32:20982,68.171.217.250:25,>,RCPT TO:<infa9@selnig.com>,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCB,27,10.1.1.32:20982,68.171.217.250:25,<,250 OK,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCA,0,,186.1.31.37:25,*,,attempting to connect
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,28,10.1.1.32:20982,68.171.217.250:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,29,10.1.1.32:20982,68.171.217.250:25,>,QUIT,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,4,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,5,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,6,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,7,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,8,10.1.1.32:20981,37.156.33.28:25,<,250-STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,9,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,10,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,11,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,12,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,13,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,14,10.1.1.32:20981,37.156.33.28:25,>,STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCA,1,10.1.1.32:20984,186.1.31.37:25,+,,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,30,10.1.1.32:20982,68.171.217.250:25,<,221 yesod.webnetnspire.com closing connection,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,31,10.1.1.32:20982,68.171.217.250:25,-,,Local
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCC,15,10.1.1.32:20981,37.156.33.28:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCE,0,,184.172.106.42:25,*,,attempting to connect
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,2,10.1.1.32:20984,186.1.31.37:25,<,220 mail.ideay.net.ni ESMTP Postfix,
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,3,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,16,10.1.1.32:20981,37.156.33.28:25,*,,Received certificate
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,17,10.1.1.32:20981,37.156.33.28:25,*,FC9BE9BACBB3F08455B4CCF2F2AC61FB7BC4F6F1,Certificate thumbprint
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,18,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,4,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,5,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,6,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,7,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,8,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,9,10.1.1.32:20984,186.1.31.37:25,<,250-STARTTLS,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,10,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,11,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,12,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,13,10.1.1.32:20984,186.1.31.37:25,>,STARTTLS,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,19,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,20,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,21,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,22,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,23,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,24,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,25,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,26,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,27,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,28,10.1.1.32:20981,37.156.33.28:25,*,1469701,sending message
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,29,10.1.1.32:20981,37.156.33.28:25,>,MAIL FROM:<> SIZE=11625,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,30,10.1.1.32:20981,37.156.33.28:25,>,RCPT TO:<talonboy57fd@adventistdeva.org>,
2014-08-01T20:02:21.377Z,Internet Mail(2010),08D16F6AD4285FCA,14,10.1.1.32:20984,186.1.31.37:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:21.455Z,Internet Mail(2010),08D16F6AD4285FCF,0,,141.8.225.63:25,*,,attempting to connect
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,31,10.1.1.32:20981,37.156.33.28:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,32,10.1.1.32:20981,37.156.33.28:25,<,450 4.1.1 <talonboy57fd@adventistdeva.org>: Recipient address rejected: User unknown in virtual mailbox table,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,33,10.1.1.32:20981,37.156.33.28:25,>,QUIT,
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,15,10.1.1.32:20984,186.1.31.37:25,*,,Received certificate
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,16,10.1.1.32:20984,186.1.31.37:25,*,EE76B731626C375D5786D4D7D645763347D7D321,Certificate thumbprint
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,17,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,34,10.1.1.32:20981,37.156.33.28:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,35,10.1.1.32:20981,37.156.33.28:25,-,,Local
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,18,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,19,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,20,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,21,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,22,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,23,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,24,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,25,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,26,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,27,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,28,10.1.1.32:20984,186.1.31.37:25,*,1489384,sending message
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,29,10.1.1.32:20984,186.1.31.37:25,>,MAIL FROM:<> SIZE=11011,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,30,10.1.1.32:20984,186.1.31.37:25,>,RCPT TO:<powers5a72@ideay.net.ni>,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,31,10.1.1.32:20984,186.1.31.37:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,32,10.1.1.32:20984,186.1.31.37:25,<,550 5.1.1 <powers5a72@ideay.net.ni>: Recipient address rejected: ideay.net.ni,
2014-08-01T20:02:21.783Z,Internet Mail(2010),08D16F6AD4285FCA,33,10.1.1.32:20984,186.1.31.37:25,>,QUIT,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,34,10.1.1.32:20984,186.1.31.37:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,35,10.1.1.32:20984,186.1.31.37:25,-,,Local
2014-08-01T20:02:22.454Z,Internet Mail(2010),08D16F6AD4285FD5,0,,201.130.193.100:25,*,,attempting to connect
2014-08-01T20:02:22.532Z,Internet Mail(2010),08D16F6AD4285FD5,1,10.1.1.32:20990,201.130.193.100:25,+,,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,2,10.1.1.32:20990,201.130.193.100:25,<,220 mail.cybercable.net.mx ESMTP,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,3,10.1.1.32:20990,201.130.193.100:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,4,10.1.1.32:20990,201.130.193.100:25,<,250-mail.cybercable.net.mx,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,5,10.1.1.32:20990,201.130.193.100:25,<,250-PIPELINING,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,6,10.1.1.32:20990,201.130.193.100:25,<,250-8BITMIME,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,7,10.1.1.32:20990,201.130.193.100:25,<,250 AUTH LOGIN PLAIN CRAM-MD5,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,8,10.1.1.32:20990,201.130.193.100:25,*,1489386,sending message
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,9,10.1.1.32:20990,201.130.193.100:25,>,MAIL FROM:<>,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,10,10.1.1.32:20990,201.130.193.100:25,>,RCPT TO:<jotreceiptc785@cybercable.net.mx>,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,11,10.1.1.32:20990,201.130.193.100:25,<,250 ok,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,12,10.1.1.32:20990,201.130.193.100:25,<,"550 sorry, no mailbox here by that name (#5.1.1 - chkusr)",
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,13,10.1.1.32:20990,201.130.193.100:25,>,QUIT,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,14,10.1.1.32:20990,201.130.193.100:25,-,,Remote
2014-08-01T20:02:23.655Z,Internet Mail(2010),08D16F6AD4285FD6,0,,62.38.2.74:25,*,,attempting to connect
2014-08-01T20:02:23.811Z,Internet Mail(2010),08D16F6AD4285FD6,1,10.1.1.32:20996,62.38.2.74:25,+,,
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,2,10.1.1.32:20996,62.38.2.74:25,<,"220 XMail ESMTP service ready; Fri, 1 Aug 2014 23:02:25 +0300",
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,3,10.1.1.32:20996,62.38.2.74:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,4,10.1.1.32:20996,62.38.2.74:25,<,250-protect4.mail.hol.gr,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,5,10.1.1.32:20996,62.38.2.74:25,<,250-8BITMIME,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,6,10.1.1.32:20996,62.38.2.74:25,<,250-PIPELINING,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,7,10.1.1.32:20996,62.38.2.74:25,<,250 SIZE,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,8,10.1.1.32:20996,62.38.2.74:25,*,1489388,sending message
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,9,10.1.1.32:20996,62.38.2.74:25,>,MAIL FROM:<> SIZE=10738,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,10,10.1.1.32:20996,62.38.2.74:25,>,RCPT TO:<ds28a@hol.gr>,
2014-08-01T20:02:24.669Z,Internet Mail(2010),08D16F6AD4285FD6,11,10.1.1.32:20996,62.38.2.74:25,<,250 OK,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,12,10.1.1.32:20996,62.38.2.74:25,<,550 Unknown recipient,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,13,10.1.1.32:20996,62.38.2.74:25,>,QUIT,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD9,0,,195.64.179.242:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDA,0,,50.97.35.134:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDB,0,,216.120.246.32:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,14,10.1.1.32:20996,62.38.2.74:25,<,221 XMail ESMTP service closing transmission channel,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,15,10.1.1.32:20996,62.38.2.74:25,-,,Local
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDB,1,10.1.1.32:20999,216.120.246.32:25,+,,
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDA,1,10.1.1.32:20998,50.97.35.134:25,+,,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,2,10.1.1.32:20998,50.97.35.134:25,<,"220-app.eclarian.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 15:02:26 -0500 ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,3,10.1.1.32:20998,50.97.35.134:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,4,10.1.1.32:20998,50.97.35.134:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,5,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,6,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,7,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,8,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,9,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,10,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,11,10.1.1.32:20998,50.97.35.134:25,<,250-STARTTLS,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,12,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,13,10.1.1.32:20998,50.97.35.134:25,>,STARTTLS,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,2,10.1.1.32:20999,216.120.246.32:25,<,"220-host28.hrwebservices.net ESMTP Exim 4.80.1 #2 Fri, 01 Aug 2014 16:02:26 -0400 ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,3,10.1.1.32:20999,216.120.246.32:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,4,10.1.1.32:20999,216.120.246.32:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,5,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.511Z,Internet Mail(2010),08D16F6AD4285FDA,14,10.1.1.32:20998,50.97.35.134:25,<,220 TLS go ahead,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,6,10.1.1.32:20999,216.120.246.32:25,<,250-host28.hrwebservices.net Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,7,10.1.1.32:20999,216.120.246.32:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,8,10.1.1.32:20999,216.120.246.32:25,<,250-8BITMIME,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,9,10.1.1.32:20999,216.120.246.32:25,<,250-PIPELINING,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,10,10.1.1.32:20999,216.120.246.32:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,11,10.1.1.32:20999,216.120.246.32:25,<,250-STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,12,10.1.1.32:20999,216.120.246.32:25,<,250 HELP,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,13,10.1.1.32:20999,216.120.246.32:25,>,STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FD9,1,10.1.1.32:20997,195.64.179.242:25,+,,
2014-08-01T20:02:25.574Z,Internet Mail(2010),08D16F6AD4285FDB,14,10.1.1.32:20999,216.120.246.32:25,<,220 TLS go ahead,
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,15,10.1.1.32:20998,50.97.35.134:25,*,,Received certificate
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,16,10.1.1.32:20998,50.97.35.134:25,*,22AE281345348B415DB0A695A65500BF40CFE30C,Certificate thumbprint
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,17,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,18,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,19,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,20,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,21,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,22,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,23,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,24,10.1.1.32:20998,50.97.35.134:25,*,1479411,sending message
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,25,10.1.1.32:20998,50.97.35.134:25,>,MAIL FROM:<> SIZE=11094,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,26,10.1.1.32:20998,50.97.35.134:25,>,RCPT TO:<ganieve84@freedombaptistschools.org>,
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,15,10.1.1.32:20999,216.120.246.32:25,*,,Received certificate
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,16,10.1.1.32:20999,216.120.246.32:25,*,BC1D6B0D24DD862AE4AB825352A3F3D24607D8DC,Certificate thumbprint
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,17,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,27,10.1.1.32:20998,50.97.35.134:25,<,250 OK,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,28,10.1.1.32:20998,50.97.35.134:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,29,10.1.1.32:20998,50.97.35.134:25,>,QUIT,

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So what about the spam that is coming from legit email addresses that we use? How are those being generated? Some of them I don't even think are accounts they're just additional aliases. Any way I can stop those?
Not a lot you can do to stop those, because that is how spammers work. They get legitimate addresses for your environment and then use those as the from headers. They hope that you have either whitelisted your own domain or it causes the email to look legitimate to the sender so that they open it.

Therefore the only way to block them is after delivery based on content in the more traditional way.

Simon.
Wow that really sucks. Some of the addresses they are using are like I said never used - aliases most of the time. So just to come full circle on this - my contractor that is receiving SPAM from us - how would a spammer a) know that the particular email alias that they used even existed (with tarpitting and the fact that its an alias on another account - its NEVER used anywhere really) and b) how would they have gotten the email address for our contractor? Surely it couldn't just be random luck.
Who knows how they get the addresses?
They could have done a directory harvest attack, guessed, compromised a workstation and pulled the address off. If the address has been used ever, then it will get spam.

You say about random luck, I can point to a client who gets a lot of email for an address that looks like it should be legitimate, but has never been. I actually use it as a honeypot now, as it is so common in the spamming runs.

Simon.
So is there anything more I can do about stuff like this?

User generated image
Not really.
There is no magic fix for spam - every server gets it, and for most they have to use third party tools to deal with it.

Simon.
So again to come full circle on this. With regards to that original host header info at the top of the thread. Did that email in fact come from my mail server? And if it did I'm going to assume its from a compromised account - best way to find that I'm guessing is to look through the send connector for an account that is sending these types of emails?
If there is an external IP address in the header then it did not originate from your server.
However remember that a lot of headers in spam messages are forged, so cannot be depended on for any kind of diagnosis. The most effective spam blocking method is to block at the point of connection.

Simon.