Solved

Exchange 2010 SPAM email - open relay?

Posted on 2014-07-30
16
378 Views
Last Modified: 2014-08-14
I received an email from a contractor the other day who is concerned about SPAM that he is receiving from our mail server. Below is the header info from the email - is anyone able to figure out how this email is getting generated? We do have a couple of Receive Connectors that don't use authentication because it is for equipment that is not on our domain (and impossible to get to from the outside unless you are VPN'd into it) so it allows anonymous users to send notifications out - however I do have network specific networks specified from which the mail server should only be allowing relaying from. My concern is that somehow someone is able to get through my ASA and generate emails using this connector.

Testing for open relays has shown that I have none but I'm particularly concerned about this vulnerability.Return of the open relays We are running an ASA security appliance.

Received: from Brockman.shec.com (216.223.90.70) by
remote.remotecontractor.ca (192.168.1.10) with Microsoft SMTP Server id
14.1.438.0; Fri, 25 Jul 2014 03:42:09 -0400
Resent-From: <scada@sudburyhydro.com>
Received: from host-49-130.pool.intred.it (62.97.49.130) by Brockman.shec.com
(10.1.1.4) with Microsoft SMTP Server id 14.2.347.0; Fri, 25 Jul 2014
03:42:05 -0400
Received: from [10.0.0.114] ([10.0.0.114:9746]
helo=host-49-130.pool.intred.it)              by 8C43899A (envelope-from
<scada6196@intred.it>)               (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
                id 4F/5E-05BAA-0AC46313; Fri, 25 Jul 2014 09:42:03 +0200
Date: Fri, 25 Jul 2014 09:42:02 +0200
From: NewSlimBody Daily <scada6196@intred.it>
Sender: <scada6196@intred.it>
To: <scada@sudburyhydro.com>
Message-ID: <9367794711.7738299520350196947.JavaMail.root@host-49-130.pool.intred.it>
Subject: Keeping fit is nothing special now!
Errors-To: scada6196@intred.it
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_Part_80294_3251653292.9842774491692"
List-Unsubscribe: <https://intred.it/app/optOut/noConfirm/471666848/f92c7a48c7d205b5fd>
Return-Path: scada6196@intred.it
X-TM-AS-Product-Ver: SMEX-11.1.0.1239-7.500.1018-20838.000
X-TM-AS-Result: Yes-73.039900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-MS-Exchange-Organization-AuthSource: CASVR1.costelloassoc.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: sudburyhydro.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (CASVR1.costelloassoc.local: scada@sudburyhydro.com does
not designate permitted sender hosts)
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13306.465;SID:SenderIDStatus None;OrigIP:216.223.90.70

Open in new window

0
Comment
Question by:ITGeneral
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 8
16 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40230040
Doesn't have to be an open relay.
The most likely cause is authenticated relay. One of your accounts has been compromised and is being abused. Logging on the Receive Connectors and the Exchange server itself (Security log) may well show the target account. Administrator is the usual one they go after unless a phishing email was successful.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40232610
Well, not sure if this helps or not but something is definitely up. I'm looking at the queue viewer and there's tons of messages sitting in the queue. From address is just "<>" most messages are showing 400 4.4.7 Message Delayed error. Looking at the Messages queue its quite obvious that its spam.

Are you aware of any good articles that detail how to track down the source?

I should note as well that AntiSpam is turned on and I have enabled the "Block messages sent to recipients that do not exist in the directory" option.
0
 

Author Comment

by:ITGeneral
ID: 40232678
Sorry for the double post - for some reason can't edit. Anyway read another thread that you helped out on here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Q_28401472.html

So that sounds like normal? traffic. I've got like probably a few hundred messages sitting in various "queues" all with the 451 4.4.0 Primary target IP address responded with: 421 4.2.1 unable to connect...."

To be honest I'm not real concerned about these ones I don't think as at least they're still stuck in queues. The original message is still my biggest concern as it actually went out.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40232824
If the messages are < > then those are NDRs.

Is Exchange your primary delivery point? Do your MX records point directly at Exchange?

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40234276
Yes they do.

Considering the recipient filtering I've got set though should it not be dropping anything that is not listed in my address book?

An example of one of the queues
ExchangeQueue.png
Example message
ExchangeMessage.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40234791
Why not test it yourself using telnet?
If you telnet in to your server and attempt to send to an address you don't have, it should throw it back. If it accepts the message then recipient filtering isn't working.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40235238
Ok so I logged in via telnet and I get unable to relay.

Checked the default receive connector that I turned up verbose logging on and found a lot of this kind of thing:

2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,3,10.1.1.4:25,77.234.230.227:1409,<,EHLO ppp-77-234-230-227.dsidata.sk,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,4,10.1.1.4:25,77.234.230.227:1409,>,250-Brockman.shec.com Hello [77.234.230.227],
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,5,10.1.1.4:25,77.234.230.227:1409,>,250-SIZE,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,6,10.1.1.4:25,77.234.230.227:1409,>,250-PIPELINING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,7,10.1.1.4:25,77.234.230.227:1409,>,250-DSN,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,8,10.1.1.4:25,77.234.230.227:1409,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,9,10.1.1.4:25,77.234.230.227:1409,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,10,10.1.1.4:25,77.234.230.227:1409,>,250-AUTH NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,11,10.1.1.4:25,77.234.230.227:1409,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,12,10.1.1.4:25,77.234.230.227:1409,>,250-8BITMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,13,10.1.1.4:25,77.234.230.227:1409,>,250-BINARYMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,14,10.1.1.4:25,77.234.230.227:1409,>,250-CHUNKING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,15,10.1.1.4:25,77.234.230.227:1409,>,250-XEXCH50,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,16,10.1.1.4:25,77.234.230.227:1409,>,250-XRDST,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,17,10.1.1.4:25,77.234.230.227:1409,>,250 XSHADOW,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,18,10.1.1.4:25,77.234.230.227:1409,<,MAIL FROM:<ldeadbb32@ppp-77-234-230-227.dsidata.sk>,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,19,10.1.1.4:25,77.234.230.227:1409,*,08D16F6AD428365C;2014-08-01T18:53:14.080Z;1,receiving message
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,20,10.1.1.4:25,77.234.230.227:1409,<,RCPT TO:<ldead@shec.com>,
2014-08-01T18:53:14.470Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,21,10.1.1.4:25,77.234.230.227:1409,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,22,10.1.1.4:25,67.211.119.59:63340,>,250 2.1.0 Sender OK,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,23,10.1.1.4:25,67.211.119.59:63340,>,550 5.7.1 Your email messages have been blocked by the recipient OR by Trend Micro Email Reputation Service. Contact the recipient or his/her administrator using alternate means to resolve the issue.,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,24,10.1.1.4:25,67.211.119.59:63340,<,DATA,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,25,10.1.1.4:25,67.211.119.59:63340,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,0,10.1.1.4:25,190.190.5.41:3884,+,,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,1,10.1.1.4:25,190.190.5.41:3884,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,2,10.1.1.4:25,190.190.5.41:3884,>,220 mail.gsuinc.ca,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,26,10.1.1.4:25,216.136.68.30:37379,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,27,10.1.1.4:25,216.136.68.30:37379,<,QUIT,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,28,10.1.1.4:25,216.136.68.30:37379,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,29,10.1.1.4:25,216.136.68.30:37379,-,,Local
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,3,10.1.1.4:25,190.190.5.41:3884,<,EHLO 41-5-190-190.cab.prima.net.ar,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,4,10.1.1.4:25,190.190.5.41:3884,>,250-Brockman.shec.com Hello [190.190.5.41],
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,5,10.1.1.4:25,190.190.5.41:3884,>,250-SIZE,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,6,10.1.1.4:25,190.190.5.41:3884,>,250-PIPELINING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,7,10.1.1.4:25,190.190.5.41:3884,>,250-DSN,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,8,10.1.1.4:25,190.190.5.41:3884,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,9,10.1.1.4:25,190.190.5.41:3884,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,10,10.1.1.4:25,190.190.5.41:3884,>,250-AUTH NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,11,10.1.1.4:25,190.190.5.41:3884,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,12,10.1.1.4:25,190.190.5.41:3884,>,250-8BITMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,13,10.1.1.4:25,190.190.5.41:3884,>,250-BINARYMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,14,10.1.1.4:25,190.190.5.41:3884,>,250-CHUNKING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,15,10.1.1.4:25,190.190.5.41:3884,>,250-XEXCH50,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,16,10.1.1.4:25,190.190.5.41:3884,>,250-XRDST,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,17,10.1.1.4:25,190.190.5.41:3884,>,250 XSHADOW,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,26,10.1.1.4:25,85.182.202.114:18178,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,27,10.1.1.4:25,85.182.202.114:18178,<,QUIT,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,28,10.1.1.4:25,85.182.202.114:18178,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,29,10.1.1.4:25,85.182.202.114:18178,-,,Local
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,18,10.1.1.4:25,190.190.5.41:3884,<,MAIL FROM:<reid3a7c@1kmiles.com>,
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,19,10.1.1.4:25,190.190.5.41:3884,*,08D16F6AD428365F;2014-08-01T18:53:14.517Z;1,receiving message
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,20,10.1.1.4:25,190.190.5.41:3884,<,RCPT TO:<reid@shec.com>,
2014-08-01T18:53:15.016Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,21,10.1.1.4:25,190.190.5.41:3884,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,26,10.1.1.4:25,90.164.125.140:53284,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,27,10.1.1.4:25,90.164.125.140:53284,<,QUIT,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,28,10.1.1.4:25,90.164.125.140:53284,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,29,10.1.1.4:25,90.164.125.140:53284,-,,Local
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,3,10.1.1.4:25,2.190.129.124:51312,<,EHLO [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,4,10.1.1.4:25,2.190.129.124:51312,>,250-Brockman.shec.com Hello [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,5,10.1.1.4:25,2.190.129.124:51312,>,250-SIZE,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,6,10.1.1.4:25,2.190.129.124:51312,>,250-PIPELINING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,7,10.1.1.4:25,2.190.129.124:51312,>,250-DSN,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,8,10.1.1.4:25,2.190.129.124:51312,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,9,10.1.1.4:25,2.190.129.124:51312,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,10,10.1.1.4:25,2.190.129.124:51312,>,250-AUTH NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,11,10.1.1.4:25,2.190.129.124:51312,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,12,10.1.1.4:25,2.190.129.124:51312,>,250-8BITMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,13,10.1.1.4:25,2.190.129.124:51312,>,250-BINARYMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,14,10.1.1.4:25,2.190.129.124:51312,>,250-CHUNKING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,15,10.1.1.4:25,2.190.129.124:51312,>,250-XEXCH50,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,16,10.1.1.4:25,2.190.129.124:51312,>,250-XRDST,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,17,10.1.1.4:25,2.190.129.124:51312,>,250 XSHADOW,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,0,10.1.1.4:25,190.193.130.213:51326,+,,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,1,10.1.1.4:25,190.193.130.213:51326,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,2,10.1.1.4:25,190.193.130.213:51326,>,220 mail.gsuinc.ca,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,3,10.1.1.4:25,190.193.130.213:51326,<,EHLO 213-130-193-190.cab.prima.net.ar,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,4,10.1.1.4:25,190.193.130.213:51326,>,250-Brockman.shec.com Hello [190.193.130.213],
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,5,10.1.1.4:25,190.193.130.213:51326,>,250-SIZE,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,6,10.1.1.4:25,190.193.130.213:51326,>,250-PIPELINING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,7,10.1.1.4:25,190.193.130.213:51326,>,250-DSN,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,8,10.1.1.4:25,190.193.130.213:51326,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,9,10.1.1.4:25,190.193.130.213:51326,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,10,10.1.1.4:25,190.193.130.213:51326,>,250-AUTH NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,11,10.1.1.4:25,190.193.130.213:51326,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,12,10.1.1.4:25,190.193.130.213:51326,>,250-8BITMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,13,10.1.1.4:25,190.193.130.213:51326,>,250-BINARYMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,14,10.1.1.4:25,190.193.130.213:51326,>,250-CHUNKING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,15,10.1.1.4:25,190.193.130.213:51326,>,250-XEXCH50,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,16,10.1.1.4:25,190.193.130.213:51326,>,250-XRDST,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,17,10.1.1.4:25,190.193.130.213:51326,>,250 XSHADOW,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,18,10.1.1.4:25,190.193.130.213:51326,<,MAIL FROM:<brenden.fleming2428@andresgonzalez.net>,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,19,10.1.1.4:25,190.193.130.213:51326,*,08D16F6AD4283660;2014-08-01T18:53:16.560Z;1,receiving message
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,20,10.1.1.4:25,190.193.130.213:51326,<,RCPT TO:<brenden.fleming@athomeenergy.ca>,
2014-08-01T18:53:17.028Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,21,10.1.1.4:25,190.193.130.213:51326,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,26,10.1.1.4:25,109.192.179.164:46942,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,27,10.1.1.4:25,109.192.179.164:46942,<,QUIT,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,28,10.1.1.4:25,109.192.179.164:46942,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,29,10.1.1.4:25,109.192.179.164:46942,-,,Local
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,26,10.1.1.4:25,84.124.149.101:59320,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,27,10.1.1.4:25,84.124.149.101:59320,<,QUIT,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,28,10.1.1.4:25,84.124.149.101:59320,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,29,10.1.1.4:25,84.124.149.101:59320,-,,Local
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,18,10.1.1.4:25,2.190.129.124:51312,<,MAIL FROM:<ryan.vareyd@kbruce.com>,
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,19,10.1.1.4:25,2.190.129.124:51312,*,08D16F6AD4283651;2014-08-01T18:53:11.989Z;1,receiving message
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,20,10.1.1.4:25,2.190.129.124:51312,<,RCPT TO:<ryan.varey@sudburyhydro.com>,
2014-08-01T18:53:17.761Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,21,10.1.1.4:25,2.190.129.124:51312,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,0,10.1.1.4:25,62.197.74.235:65307,+,,
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,1,10.1.1.4:25,62.197.74.235:65307,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,2,10.1.1.4:25,62.197.74.235:65307,>,220 mail.gsuinc.ca,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,3,10.1.1.4:25,62.197.74.235:65307,<,EHLO 62-197-74-235.teledisnet.be,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,4,10.1.1.4:25,62.197.74.235:65307,>,250-Brockman.shec.com Hello [62.197.74.235],
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,5,10.1.1.4:25,62.197.74.235:65307,>,250-SIZE,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,6,10.1.1.4:25,62.197.74.235:65307,>,250-PIPELINING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,7,10.1.1.4:25,62.197.74.235:65307,>,250-DSN,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,8,10.1.1.4:25,62.197.74.235:65307,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,9,10.1.1.4:25,62.197.74.235:65307,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,10,10.1.1.4:25,62.197.74.235:65307,>,250-AUTH NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,11,10.1.1.4:25,62.197.74.235:65307,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,12,10.1.1.4:25,62.197.74.235:65307,>,250-8BITMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,13,10.1.1.4:25,62.197.74.235:65307,>,250-BINARYMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,14,10.1.1.4:25,62.197.74.235:65307,>,250-CHUNKING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,15,10.1.1.4:25,62.197.74.235:65307,>,250-XEXCH50,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,16,10.1.1.4:25,62.197.74.235:65307,>,250-XRDST,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,17,10.1.1.4:25,62.197.74.235:65307,>,250 XSHADOW,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,18,10.1.1.4:25,62.197.74.235:65307,<,MAIL FROM:<northerncome@62-197-74-235.teledisnet.be>,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,19,10.1.1.4:25,62.197.74.235:65307,*,08D16F6AD4283662;2014-08-01T18:53:18.073Z;1,receiving message
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,20,10.1.1.4:25,62.197.74.235:65307,<,RCPT TO:<northerncom@shec.com>,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,21,10.1.1.4:25,62.197.74.235:65307,<,DATA,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,22,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.0 Sender OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,23,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.5 Recipient OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,24,10.1.1.4:25,62.197.74.235:65307,>,354 Start mail input; end with <CRLF>.<CRLF>,

Open in new window


I should note that none of the names/email addresses in there are actually legit (at least not the ones that appear to be from our domain). I'm thinking removing anonymous from that receive connector might help things a bit.

And some of the traffic being captured by the Send connector

2014-08-01T20:02:20.348Z,Internet Mail(2010),08D16F6AD4285FCB,1,10.1.1.32:20982,68.171.217.250:25,+,,
2014-08-01T20:02:20.441Z,Internet Mail(2010),08D16F6AD4285FCC,1,10.1.1.32:20981,37.156.33.28:25,+,,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,2,10.1.1.32:20982,68.171.217.250:25,<,"220-yesod.webnetnspire.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 21:02:21 +0100 ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,3,10.1.1.32:20982,68.171.217.250:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,4,10.1.1.32:20982,68.171.217.250:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,5,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,6,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,7,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,8,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,9,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,10,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,11,10.1.1.32:20982,68.171.217.250:25,<,250-STARTTLS,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,12,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,13,10.1.1.32:20982,68.171.217.250:25,>,STARTTLS,
2014-08-01T20:02:20.550Z,Internet Mail(2010),08D16F6AD4285FCD,0,,62.197.102.4:25,*,,attempting to connect
2014-08-01T20:02:20.566Z,Internet Mail(2010),08D16F6AD4285FCB,14,10.1.1.32:20982,68.171.217.250:25,<,220 TLS go ahead,
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,15,10.1.1.32:20982,68.171.217.250:25,*,,Received certificate
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,16,10.1.1.32:20982,68.171.217.250:25,*,4B9A7560F2FF65D6FF927A37897CA3BD9626042F,Certificate thumbprint
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,17,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,2,10.1.1.32:20981,37.156.33.28:25,<,220 mail.myspacebox.ro ESMTP Postfix,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,3,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,18,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,19,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,20,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,21,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,22,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,23,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,24,10.1.1.32:20982,68.171.217.250:25,*,1467688,sending message
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,25,10.1.1.32:20982,68.171.217.250:25,>,MAIL FROM:<> SIZE=11044,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,26,10.1.1.32:20982,68.171.217.250:25,>,RCPT TO:<infa9@selnig.com>,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCB,27,10.1.1.32:20982,68.171.217.250:25,<,250 OK,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCA,0,,186.1.31.37:25,*,,attempting to connect
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,28,10.1.1.32:20982,68.171.217.250:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,29,10.1.1.32:20982,68.171.217.250:25,>,QUIT,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,4,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,5,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,6,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,7,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,8,10.1.1.32:20981,37.156.33.28:25,<,250-STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,9,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,10,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,11,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,12,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,13,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,14,10.1.1.32:20981,37.156.33.28:25,>,STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCA,1,10.1.1.32:20984,186.1.31.37:25,+,,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,30,10.1.1.32:20982,68.171.217.250:25,<,221 yesod.webnetnspire.com closing connection,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,31,10.1.1.32:20982,68.171.217.250:25,-,,Local
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCC,15,10.1.1.32:20981,37.156.33.28:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCE,0,,184.172.106.42:25,*,,attempting to connect
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,2,10.1.1.32:20984,186.1.31.37:25,<,220 mail.ideay.net.ni ESMTP Postfix,
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,3,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,16,10.1.1.32:20981,37.156.33.28:25,*,,Received certificate
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,17,10.1.1.32:20981,37.156.33.28:25,*,FC9BE9BACBB3F08455B4CCF2F2AC61FB7BC4F6F1,Certificate thumbprint
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,18,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,4,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,5,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,6,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,7,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,8,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,9,10.1.1.32:20984,186.1.31.37:25,<,250-STARTTLS,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,10,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,11,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,12,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,13,10.1.1.32:20984,186.1.31.37:25,>,STARTTLS,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,19,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,20,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,21,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,22,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,23,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,24,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,25,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,26,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,27,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,28,10.1.1.32:20981,37.156.33.28:25,*,1469701,sending message
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,29,10.1.1.32:20981,37.156.33.28:25,>,MAIL FROM:<> SIZE=11625,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,30,10.1.1.32:20981,37.156.33.28:25,>,RCPT TO:<talonboy57fd@adventistdeva.org>,
2014-08-01T20:02:21.377Z,Internet Mail(2010),08D16F6AD4285FCA,14,10.1.1.32:20984,186.1.31.37:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:21.455Z,Internet Mail(2010),08D16F6AD4285FCF,0,,141.8.225.63:25,*,,attempting to connect
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,31,10.1.1.32:20981,37.156.33.28:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,32,10.1.1.32:20981,37.156.33.28:25,<,450 4.1.1 <talonboy57fd@adventistdeva.org>: Recipient address rejected: User unknown in virtual mailbox table,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,33,10.1.1.32:20981,37.156.33.28:25,>,QUIT,
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,15,10.1.1.32:20984,186.1.31.37:25,*,,Received certificate
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,16,10.1.1.32:20984,186.1.31.37:25,*,EE76B731626C375D5786D4D7D645763347D7D321,Certificate thumbprint
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,17,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,34,10.1.1.32:20981,37.156.33.28:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,35,10.1.1.32:20981,37.156.33.28:25,-,,Local
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,18,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,19,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,20,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,21,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,22,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,23,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,24,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,25,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,26,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,27,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,28,10.1.1.32:20984,186.1.31.37:25,*,1489384,sending message
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,29,10.1.1.32:20984,186.1.31.37:25,>,MAIL FROM:<> SIZE=11011,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,30,10.1.1.32:20984,186.1.31.37:25,>,RCPT TO:<powers5a72@ideay.net.ni>,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,31,10.1.1.32:20984,186.1.31.37:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,32,10.1.1.32:20984,186.1.31.37:25,<,550 5.1.1 <powers5a72@ideay.net.ni>: Recipient address rejected: ideay.net.ni,
2014-08-01T20:02:21.783Z,Internet Mail(2010),08D16F6AD4285FCA,33,10.1.1.32:20984,186.1.31.37:25,>,QUIT,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,34,10.1.1.32:20984,186.1.31.37:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,35,10.1.1.32:20984,186.1.31.37:25,-,,Local
2014-08-01T20:02:22.454Z,Internet Mail(2010),08D16F6AD4285FD5,0,,201.130.193.100:25,*,,attempting to connect
2014-08-01T20:02:22.532Z,Internet Mail(2010),08D16F6AD4285FD5,1,10.1.1.32:20990,201.130.193.100:25,+,,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,2,10.1.1.32:20990,201.130.193.100:25,<,220 mail.cybercable.net.mx ESMTP,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,3,10.1.1.32:20990,201.130.193.100:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,4,10.1.1.32:20990,201.130.193.100:25,<,250-mail.cybercable.net.mx,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,5,10.1.1.32:20990,201.130.193.100:25,<,250-PIPELINING,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,6,10.1.1.32:20990,201.130.193.100:25,<,250-8BITMIME,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,7,10.1.1.32:20990,201.130.193.100:25,<,250 AUTH LOGIN PLAIN CRAM-MD5,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,8,10.1.1.32:20990,201.130.193.100:25,*,1489386,sending message
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,9,10.1.1.32:20990,201.130.193.100:25,>,MAIL FROM:<>,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,10,10.1.1.32:20990,201.130.193.100:25,>,RCPT TO:<jotreceiptc785@cybercable.net.mx>,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,11,10.1.1.32:20990,201.130.193.100:25,<,250 ok,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,12,10.1.1.32:20990,201.130.193.100:25,<,"550 sorry, no mailbox here by that name (#5.1.1 - chkusr)",
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,13,10.1.1.32:20990,201.130.193.100:25,>,QUIT,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,14,10.1.1.32:20990,201.130.193.100:25,-,,Remote
2014-08-01T20:02:23.655Z,Internet Mail(2010),08D16F6AD4285FD6,0,,62.38.2.74:25,*,,attempting to connect
2014-08-01T20:02:23.811Z,Internet Mail(2010),08D16F6AD4285FD6,1,10.1.1.32:20996,62.38.2.74:25,+,,
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,2,10.1.1.32:20996,62.38.2.74:25,<,"220 XMail ESMTP service ready; Fri, 1 Aug 2014 23:02:25 +0300",
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,3,10.1.1.32:20996,62.38.2.74:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,4,10.1.1.32:20996,62.38.2.74:25,<,250-protect4.mail.hol.gr,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,5,10.1.1.32:20996,62.38.2.74:25,<,250-8BITMIME,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,6,10.1.1.32:20996,62.38.2.74:25,<,250-PIPELINING,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,7,10.1.1.32:20996,62.38.2.74:25,<,250 SIZE,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,8,10.1.1.32:20996,62.38.2.74:25,*,1489388,sending message
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,9,10.1.1.32:20996,62.38.2.74:25,>,MAIL FROM:<> SIZE=10738,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,10,10.1.1.32:20996,62.38.2.74:25,>,RCPT TO:<ds28a@hol.gr>,
2014-08-01T20:02:24.669Z,Internet Mail(2010),08D16F6AD4285FD6,11,10.1.1.32:20996,62.38.2.74:25,<,250 OK,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,12,10.1.1.32:20996,62.38.2.74:25,<,550 Unknown recipient,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,13,10.1.1.32:20996,62.38.2.74:25,>,QUIT,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD9,0,,195.64.179.242:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDA,0,,50.97.35.134:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDB,0,,216.120.246.32:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,14,10.1.1.32:20996,62.38.2.74:25,<,221 XMail ESMTP service closing transmission channel,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,15,10.1.1.32:20996,62.38.2.74:25,-,,Local
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDB,1,10.1.1.32:20999,216.120.246.32:25,+,,
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDA,1,10.1.1.32:20998,50.97.35.134:25,+,,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,2,10.1.1.32:20998,50.97.35.134:25,<,"220-app.eclarian.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 15:02:26 -0500 ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,3,10.1.1.32:20998,50.97.35.134:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,4,10.1.1.32:20998,50.97.35.134:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,5,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,6,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,7,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,8,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,9,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,10,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,11,10.1.1.32:20998,50.97.35.134:25,<,250-STARTTLS,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,12,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,13,10.1.1.32:20998,50.97.35.134:25,>,STARTTLS,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,2,10.1.1.32:20999,216.120.246.32:25,<,"220-host28.hrwebservices.net ESMTP Exim 4.80.1 #2 Fri, 01 Aug 2014 16:02:26 -0400 ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,3,10.1.1.32:20999,216.120.246.32:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,4,10.1.1.32:20999,216.120.246.32:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,5,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.511Z,Internet Mail(2010),08D16F6AD4285FDA,14,10.1.1.32:20998,50.97.35.134:25,<,220 TLS go ahead,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,6,10.1.1.32:20999,216.120.246.32:25,<,250-host28.hrwebservices.net Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,7,10.1.1.32:20999,216.120.246.32:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,8,10.1.1.32:20999,216.120.246.32:25,<,250-8BITMIME,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,9,10.1.1.32:20999,216.120.246.32:25,<,250-PIPELINING,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,10,10.1.1.32:20999,216.120.246.32:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,11,10.1.1.32:20999,216.120.246.32:25,<,250-STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,12,10.1.1.32:20999,216.120.246.32:25,<,250 HELP,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,13,10.1.1.32:20999,216.120.246.32:25,>,STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FD9,1,10.1.1.32:20997,195.64.179.242:25,+,,
2014-08-01T20:02:25.574Z,Internet Mail(2010),08D16F6AD4285FDB,14,10.1.1.32:20999,216.120.246.32:25,<,220 TLS go ahead,
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,15,10.1.1.32:20998,50.97.35.134:25,*,,Received certificate
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,16,10.1.1.32:20998,50.97.35.134:25,*,22AE281345348B415DB0A695A65500BF40CFE30C,Certificate thumbprint
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,17,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,18,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,19,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,20,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,21,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,22,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,23,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,24,10.1.1.32:20998,50.97.35.134:25,*,1479411,sending message
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,25,10.1.1.32:20998,50.97.35.134:25,>,MAIL FROM:<> SIZE=11094,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,26,10.1.1.32:20998,50.97.35.134:25,>,RCPT TO:<ganieve84@freedombaptistschools.org>,
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,15,10.1.1.32:20999,216.120.246.32:25,*,,Received certificate
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,16,10.1.1.32:20999,216.120.246.32:25,*,BC1D6B0D24DD862AE4AB825352A3F3D24607D8DC,Certificate thumbprint
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,17,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,27,10.1.1.32:20998,50.97.35.134:25,<,250 OK,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,28,10.1.1.32:20998,50.97.35.134:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,29,10.1.1.32:20998,50.97.35.134:25,>,QUIT,

Open in new window

0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40237511
If you remove anonymous from the receive connector then you will get no email at all.
Tarpit is working well, so it looks like Exchange is doing everything that it can. The NDRs therefore could be OOTO, automatic replies etc.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40241258
So what about the spam that is coming from legit email addresses that we use? How are those being generated? Some of them I don't even think are accounts they're just additional aliases. Any way I can stop those?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40242526
Not a lot you can do to stop those, because that is how spammers work. They get legitimate addresses for your environment and then use those as the from headers. They hope that you have either whitelisted your own domain or it causes the email to look legitimate to the sender so that they open it.

Therefore the only way to block them is after delivery based on content in the more traditional way.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40243496
Wow that really sucks. Some of the addresses they are using are like I said never used - aliases most of the time. So just to come full circle on this - my contractor that is receiving SPAM from us - how would a spammer a) know that the particular email alias that they used even existed (with tarpitting and the fact that its an alias on another account - its NEVER used anywhere really) and b) how would they have gotten the email address for our contractor? Surely it couldn't just be random luck.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40246374
Who knows how they get the addresses?
They could have done a directory harvest attack, guessed, compromised a workstation and pulled the address off. If the address has been used ever, then it will get spam.

You say about random luck, I can point to a client who gets a lot of email for an address that looks like it should be legitimate, but has never been. I actually use it as a honeypot now, as it is so common in the spamming runs.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40255988
So is there anything more I can do about stuff like this?

spam.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40258748
Not really.
There is no magic fix for spam - every server gets it, and for most they have to use third party tools to deal with it.

Simon.
0
 

Author Comment

by:ITGeneral
ID: 40260439
So again to come full circle on this. With regards to that original host header info at the top of the thread. Did that email in fact come from my mail server? And if it did I'm going to assume its from a compromised account - best way to find that I'm guessing is to look through the send connector for an account that is sending these types of emails?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40260701
If there is an external IP address in the header then it did not originate from your server.
However remember that a lot of headers in spam messages are forged, so cannot be depended on for any kind of diagnosis. The most effective spam blocking method is to block at the point of connection.

Simon.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will help to fix the below error for MS Exchange server 2010 I. Out Of office not working II. Certificate error "name on the security certificate is invalid or does not match the name of the site" III. Make Internal URLs and External…
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question