Solved

Exchange 2010 SPAM email - open relay?

Posted on 2014-07-30
16
364 Views
Last Modified: 2014-08-14
I received an email from a contractor the other day who is concerned about SPAM that he is receiving from our mail server. Below is the header info from the email - is anyone able to figure out how this email is getting generated? We do have a couple of Receive Connectors that don't use authentication because it is for equipment that is not on our domain (and impossible to get to from the outside unless you are VPN'd into it) so it allows anonymous users to send notifications out - however I do have network specific networks specified from which the mail server should only be allowing relaying from. My concern is that somehow someone is able to get through my ASA and generate emails using this connector.

Testing for open relays has shown that I have none but I'm particularly concerned about this vulnerability.Return of the open relays We are running an ASA security appliance.

Received: from Brockman.shec.com (216.223.90.70) by
remote.remotecontractor.ca (192.168.1.10) with Microsoft SMTP Server id
14.1.438.0; Fri, 25 Jul 2014 03:42:09 -0400
Resent-From: <scada@sudburyhydro.com>
Received: from host-49-130.pool.intred.it (62.97.49.130) by Brockman.shec.com
(10.1.1.4) with Microsoft SMTP Server id 14.2.347.0; Fri, 25 Jul 2014
03:42:05 -0400
Received: from [10.0.0.114] ([10.0.0.114:9746]
helo=host-49-130.pool.intred.it)              by 8C43899A (envelope-from
<scada6196@intred.it>)               (ecelerity 3.5.1.37854 r(Momo-dev:3.5.1.0)) with ESMTP
                id 4F/5E-05BAA-0AC46313; Fri, 25 Jul 2014 09:42:03 +0200
Date: Fri, 25 Jul 2014 09:42:02 +0200
From: NewSlimBody Daily <scada6196@intred.it>
Sender: <scada6196@intred.it>
To: <scada@sudburyhydro.com>
Message-ID: <9367794711.7738299520350196947.JavaMail.root@host-49-130.pool.intred.it>
Subject: Keeping fit is nothing special now!
Errors-To: scada6196@intred.it
MIME-Version: 1.0
Content-Type: multipart/alternative;
                boundary="----=_Part_80294_3251653292.9842774491692"
List-Unsubscribe: <https://intred.it/app/optOut/noConfirm/471666848/f92c7a48c7d205b5fd>
Return-Path: scada6196@intred.it
X-TM-AS-Product-Ver: SMEX-11.1.0.1239-7.500.1018-20838.000
X-TM-AS-Result: Yes-73.039900-4.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-MS-Exchange-Organization-AuthSource: CASVR1.costelloassoc.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-PRD: sudburyhydro.com
X-MS-Exchange-Organization-SenderIdResult: None
Received-SPF: None (CASVR1.costelloassoc.local: scada@sudburyhydro.com does
not designate permitted sender hosts)
X-MS-Exchange-Organization-SCL: 2
X-MS-Exchange-Organization-PCL: 2
X-MS-Exchange-Organization-Antispam-Report: DV:3.3.13306.465;SID:SenderIDStatus None;OrigIP:216.223.90.70

Open in new window

0
Comment
Question by:ITGeneral
  • 8
  • 8
16 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Doesn't have to be an open relay.
The most likely cause is authenticated relay. One of your accounts has been compromised and is being abused. Logging on the Receive Connectors and the Exchange server itself (Security log) may well show the target account. Administrator is the usual one they go after unless a phishing email was successful.

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
Well, not sure if this helps or not but something is definitely up. I'm looking at the queue viewer and there's tons of messages sitting in the queue. From address is just "<>" most messages are showing 400 4.4.7 Message Delayed error. Looking at the Messages queue its quite obvious that its spam.

Are you aware of any good articles that detail how to track down the source?

I should note as well that AntiSpam is turned on and I have enabled the "Block messages sent to recipients that do not exist in the directory" option.
0
 

Author Comment

by:ITGeneral
Comment Utility
Sorry for the double post - for some reason can't edit. Anyway read another thread that you helped out on here:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Q_28401472.html

So that sounds like normal? traffic. I've got like probably a few hundred messages sitting in various "queues" all with the 451 4.4.0 Primary target IP address responded with: 421 4.2.1 unable to connect...."

To be honest I'm not real concerned about these ones I don't think as at least they're still stuck in queues. The original message is still my biggest concern as it actually went out.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If the messages are < > then those are NDRs.

Is Exchange your primary delivery point? Do your MX records point directly at Exchange?

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
Yes they do.

Considering the recipient filtering I've got set though should it not be dropping anything that is not listed in my address book?

An example of one of the queues
ExchangeQueue.png
Example message
ExchangeMessage.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Why not test it yourself using telnet?
If you telnet in to your server and attempt to send to an address you don't have, it should throw it back. If it accepts the message then recipient filtering isn't working.

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
Ok so I logged in via telnet and I get unable to relay.

Checked the default receive connector that I turned up verbose logging on and found a lot of this kind of thing:

2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,3,10.1.1.4:25,77.234.230.227:1409,<,EHLO ppp-77-234-230-227.dsidata.sk,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,4,10.1.1.4:25,77.234.230.227:1409,>,250-Brockman.shec.com Hello [77.234.230.227],
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,5,10.1.1.4:25,77.234.230.227:1409,>,250-SIZE,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,6,10.1.1.4:25,77.234.230.227:1409,>,250-PIPELINING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,7,10.1.1.4:25,77.234.230.227:1409,>,250-DSN,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,8,10.1.1.4:25,77.234.230.227:1409,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,9,10.1.1.4:25,77.234.230.227:1409,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,10,10.1.1.4:25,77.234.230.227:1409,>,250-AUTH NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,11,10.1.1.4:25,77.234.230.227:1409,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,12,10.1.1.4:25,77.234.230.227:1409,>,250-8BITMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,13,10.1.1.4:25,77.234.230.227:1409,>,250-BINARYMIME,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,14,10.1.1.4:25,77.234.230.227:1409,>,250-CHUNKING,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,15,10.1.1.4:25,77.234.230.227:1409,>,250-XEXCH50,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,16,10.1.1.4:25,77.234.230.227:1409,>,250-XRDST,
2014-08-01T18:53:14.236Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,17,10.1.1.4:25,77.234.230.227:1409,>,250 XSHADOW,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,18,10.1.1.4:25,77.234.230.227:1409,<,MAIL FROM:<ldeadbb32@ppp-77-234-230-227.dsidata.sk>,
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,19,10.1.1.4:25,77.234.230.227:1409,*,08D16F6AD428365C;2014-08-01T18:53:14.080Z;1,receiving message
2014-08-01T18:53:14.392Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,20,10.1.1.4:25,77.234.230.227:1409,<,RCPT TO:<ldead@shec.com>,
2014-08-01T18:53:14.470Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365C,21,10.1.1.4:25,77.234.230.227:1409,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,22,10.1.1.4:25,67.211.119.59:63340,>,250 2.1.0 Sender OK,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,23,10.1.1.4:25,67.211.119.59:63340,>,550 5.7.1 Your email messages have been blocked by the recipient OR by Trend Micro Email Reputation Service. Contact the recipient or his/her administrator using alternate means to resolve the issue.,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,24,10.1.1.4:25,67.211.119.59:63340,<,DATA,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428363E,25,10.1.1.4:25,67.211.119.59:63340,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,0,10.1.1.4:25,190.190.5.41:3884,+,,
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,1,10.1.1.4:25,190.190.5.41:3884,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:14.517Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,2,10.1.1.4:25,190.190.5.41:3884,>,220 mail.gsuinc.ca,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,26,10.1.1.4:25,216.136.68.30:37379,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,27,10.1.1.4:25,216.136.68.30:37379,<,QUIT,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,28,10.1.1.4:25,216.136.68.30:37379,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.595Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283625,29,10.1.1.4:25,216.136.68.30:37379,-,,Local
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,3,10.1.1.4:25,190.190.5.41:3884,<,EHLO 41-5-190-190.cab.prima.net.ar,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,4,10.1.1.4:25,190.190.5.41:3884,>,250-Brockman.shec.com Hello [190.190.5.41],
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,5,10.1.1.4:25,190.190.5.41:3884,>,250-SIZE,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,6,10.1.1.4:25,190.190.5.41:3884,>,250-PIPELINING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,7,10.1.1.4:25,190.190.5.41:3884,>,250-DSN,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,8,10.1.1.4:25,190.190.5.41:3884,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,9,10.1.1.4:25,190.190.5.41:3884,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,10,10.1.1.4:25,190.190.5.41:3884,>,250-AUTH NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,11,10.1.1.4:25,190.190.5.41:3884,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,12,10.1.1.4:25,190.190.5.41:3884,>,250-8BITMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,13,10.1.1.4:25,190.190.5.41:3884,>,250-BINARYMIME,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,14,10.1.1.4:25,190.190.5.41:3884,>,250-CHUNKING,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,15,10.1.1.4:25,190.190.5.41:3884,>,250-XEXCH50,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,16,10.1.1.4:25,190.190.5.41:3884,>,250-XRDST,
2014-08-01T18:53:14.735Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,17,10.1.1.4:25,190.190.5.41:3884,>,250 XSHADOW,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,26,10.1.1.4:25,85.182.202.114:18178,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,27,10.1.1.4:25,85.182.202.114:18178,<,QUIT,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,28,10.1.1.4:25,85.182.202.114:18178,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:14.751Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283623,29,10.1.1.4:25,85.182.202.114:18178,-,,Local
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,18,10.1.1.4:25,190.190.5.41:3884,<,MAIL FROM:<reid3a7c@1kmiles.com>,
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,19,10.1.1.4:25,190.190.5.41:3884,*,08D16F6AD428365F;2014-08-01T18:53:14.517Z;1,receiving message
2014-08-01T18:53:14.922Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,20,10.1.1.4:25,190.190.5.41:3884,<,RCPT TO:<reid@shec.com>,
2014-08-01T18:53:15.016Z,BROCKMAN\Default BROCKMAN,08D16F6AD428365F,21,10.1.1.4:25,190.190.5.41:3884,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,26,10.1.1.4:25,90.164.125.140:53284,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,27,10.1.1.4:25,90.164.125.140:53284,<,QUIT,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,28,10.1.1.4:25,90.164.125.140:53284,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:16.389Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283629,29,10.1.1.4:25,90.164.125.140:53284,-,,Local
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,3,10.1.1.4:25,2.190.129.124:51312,<,EHLO [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,4,10.1.1.4:25,2.190.129.124:51312,>,250-Brockman.shec.com Hello [2.190.129.124],
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,5,10.1.1.4:25,2.190.129.124:51312,>,250-SIZE,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,6,10.1.1.4:25,2.190.129.124:51312,>,250-PIPELINING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,7,10.1.1.4:25,2.190.129.124:51312,>,250-DSN,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,8,10.1.1.4:25,2.190.129.124:51312,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,9,10.1.1.4:25,2.190.129.124:51312,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,10,10.1.1.4:25,2.190.129.124:51312,>,250-AUTH NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,11,10.1.1.4:25,2.190.129.124:51312,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,12,10.1.1.4:25,2.190.129.124:51312,>,250-8BITMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,13,10.1.1.4:25,2.190.129.124:51312,>,250-BINARYMIME,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,14,10.1.1.4:25,2.190.129.124:51312,>,250-CHUNKING,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,15,10.1.1.4:25,2.190.129.124:51312,>,250-XEXCH50,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,16,10.1.1.4:25,2.190.129.124:51312,>,250-XRDST,
2014-08-01T18:53:16.435Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,17,10.1.1.4:25,2.190.129.124:51312,>,250 XSHADOW,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,0,10.1.1.4:25,190.193.130.213:51326,+,,
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,1,10.1.1.4:25,190.193.130.213:51326,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:16.560Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,2,10.1.1.4:25,190.193.130.213:51326,>,220 mail.gsuinc.ca,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,3,10.1.1.4:25,190.193.130.213:51326,<,EHLO 213-130-193-190.cab.prima.net.ar,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,4,10.1.1.4:25,190.193.130.213:51326,>,250-Brockman.shec.com Hello [190.193.130.213],
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,5,10.1.1.4:25,190.193.130.213:51326,>,250-SIZE,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,6,10.1.1.4:25,190.193.130.213:51326,>,250-PIPELINING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,7,10.1.1.4:25,190.193.130.213:51326,>,250-DSN,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,8,10.1.1.4:25,190.193.130.213:51326,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,9,10.1.1.4:25,190.193.130.213:51326,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,10,10.1.1.4:25,190.193.130.213:51326,>,250-AUTH NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,11,10.1.1.4:25,190.193.130.213:51326,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,12,10.1.1.4:25,190.193.130.213:51326,>,250-8BITMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,13,10.1.1.4:25,190.193.130.213:51326,>,250-BINARYMIME,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,14,10.1.1.4:25,190.193.130.213:51326,>,250-CHUNKING,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,15,10.1.1.4:25,190.193.130.213:51326,>,250-XEXCH50,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,16,10.1.1.4:25,190.193.130.213:51326,>,250-XRDST,
2014-08-01T18:53:16.763Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,17,10.1.1.4:25,190.193.130.213:51326,>,250 XSHADOW,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,18,10.1.1.4:25,190.193.130.213:51326,<,MAIL FROM:<brenden.fleming2428@andresgonzalez.net>,
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,19,10.1.1.4:25,190.193.130.213:51326,*,08D16F6AD4283660;2014-08-01T18:53:16.560Z;1,receiving message
2014-08-01T18:53:16.950Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,20,10.1.1.4:25,190.193.130.213:51326,<,RCPT TO:<brenden.fleming@athomeenergy.ca>,
2014-08-01T18:53:17.028Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283660,21,10.1.1.4:25,190.193.130.213:51326,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,26,10.1.1.4:25,109.192.179.164:46942,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,27,10.1.1.4:25,109.192.179.164:46942,<,QUIT,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,28,10.1.1.4:25,109.192.179.164:46942,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.122Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283627,29,10.1.1.4:25,109.192.179.164:46942,-,,Local
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,26,10.1.1.4:25,84.124.149.101:59320,>,503 5.5.2 Need rcpt command,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,27,10.1.1.4:25,84.124.149.101:59320,<,QUIT,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,28,10.1.1.4:25,84.124.149.101:59320,>,221 2.0.0 Service closing transmission channel,
2014-08-01T18:53:17.590Z,BROCKMAN\Default BROCKMAN,08D16F6AD428362C,29,10.1.1.4:25,84.124.149.101:59320,-,,Local
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,18,10.1.1.4:25,2.190.129.124:51312,<,MAIL FROM:<ryan.vareyd@kbruce.com>,
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,19,10.1.1.4:25,2.190.129.124:51312,*,08D16F6AD4283651;2014-08-01T18:53:11.989Z;1,receiving message
2014-08-01T18:53:17.668Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,20,10.1.1.4:25,2.190.129.124:51312,<,RCPT TO:<ryan.varey@sudburyhydro.com>,
2014-08-01T18:53:17.761Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283651,21,10.1.1.4:25,2.190.129.124:51312,*,Tarpit for '0.00:00:10',
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,0,10.1.1.4:25,62.197.74.235:65307,+,,
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,1,10.1.1.4:25,62.197.74.235:65307,*,SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
2014-08-01T18:53:18.073Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,2,10.1.1.4:25,62.197.74.235:65307,>,220 mail.gsuinc.ca,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,3,10.1.1.4:25,62.197.74.235:65307,<,EHLO 62-197-74-235.teledisnet.be,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,4,10.1.1.4:25,62.197.74.235:65307,>,250-Brockman.shec.com Hello [62.197.74.235],
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,5,10.1.1.4:25,62.197.74.235:65307,>,250-SIZE,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,6,10.1.1.4:25,62.197.74.235:65307,>,250-PIPELINING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,7,10.1.1.4:25,62.197.74.235:65307,>,250-DSN,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,8,10.1.1.4:25,62.197.74.235:65307,>,250-ENHANCEDSTATUSCODES,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,9,10.1.1.4:25,62.197.74.235:65307,>,250-X-ANONYMOUSTLS,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,10,10.1.1.4:25,62.197.74.235:65307,>,250-AUTH NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,11,10.1.1.4:25,62.197.74.235:65307,>,250-X-EXPS GSSAPI NTLM,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,12,10.1.1.4:25,62.197.74.235:65307,>,250-8BITMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,13,10.1.1.4:25,62.197.74.235:65307,>,250-BINARYMIME,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,14,10.1.1.4:25,62.197.74.235:65307,>,250-CHUNKING,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,15,10.1.1.4:25,62.197.74.235:65307,>,250-XEXCH50,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,16,10.1.1.4:25,62.197.74.235:65307,>,250-XRDST,
2014-08-01T18:53:18.183Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,17,10.1.1.4:25,62.197.74.235:65307,>,250 XSHADOW,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,18,10.1.1.4:25,62.197.74.235:65307,<,MAIL FROM:<northerncome@62-197-74-235.teledisnet.be>,
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,19,10.1.1.4:25,62.197.74.235:65307,*,08D16F6AD4283662;2014-08-01T18:53:18.073Z;1,receiving message
2014-08-01T18:53:18.307Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,20,10.1.1.4:25,62.197.74.235:65307,<,RCPT TO:<northerncom@shec.com>,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,21,10.1.1.4:25,62.197.74.235:65307,<,DATA,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,22,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.0 Sender OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,23,10.1.1.4:25,62.197.74.235:65307,>,250 2.1.5 Recipient OK,
2014-08-01T18:53:18.385Z,BROCKMAN\Default BROCKMAN,08D16F6AD4283662,24,10.1.1.4:25,62.197.74.235:65307,>,354 Start mail input; end with <CRLF>.<CRLF>,

Open in new window


I should note that none of the names/email addresses in there are actually legit (at least not the ones that appear to be from our domain). I'm thinking removing anonymous from that receive connector might help things a bit.

And some of the traffic being captured by the Send connector

2014-08-01T20:02:20.348Z,Internet Mail(2010),08D16F6AD4285FCB,1,10.1.1.32:20982,68.171.217.250:25,+,,
2014-08-01T20:02:20.441Z,Internet Mail(2010),08D16F6AD4285FCC,1,10.1.1.32:20981,37.156.33.28:25,+,,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,2,10.1.1.32:20982,68.171.217.250:25,<,"220-yesod.webnetnspire.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 21:02:21 +0100 ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,3,10.1.1.32:20982,68.171.217.250:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,4,10.1.1.32:20982,68.171.217.250:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:20.488Z,Internet Mail(2010),08D16F6AD4285FCB,5,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,6,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,7,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,8,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,9,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,10,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,11,10.1.1.32:20982,68.171.217.250:25,<,250-STARTTLS,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,12,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.519Z,Internet Mail(2010),08D16F6AD4285FCB,13,10.1.1.32:20982,68.171.217.250:25,>,STARTTLS,
2014-08-01T20:02:20.550Z,Internet Mail(2010),08D16F6AD4285FCD,0,,62.197.102.4:25,*,,attempting to connect
2014-08-01T20:02:20.566Z,Internet Mail(2010),08D16F6AD4285FCB,14,10.1.1.32:20982,68.171.217.250:25,<,220 TLS go ahead,
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,15,10.1.1.32:20982,68.171.217.250:25,*,,Received certificate
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,16,10.1.1.32:20982,68.171.217.250:25,*,4B9A7560F2FF65D6FF927A37897CA3BD9626042F,Certificate thumbprint
2014-08-01T20:02:20.644Z,Internet Mail(2010),08D16F6AD4285FCB,17,10.1.1.32:20982,68.171.217.250:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,2,10.1.1.32:20981,37.156.33.28:25,<,220 mail.myspacebox.ro ESMTP Postfix,
2014-08-01T20:02:20.660Z,Internet Mail(2010),08D16F6AD4285FCC,3,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,18,10.1.1.32:20982,68.171.217.250:25,<,250-yesod.webnetnspire.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,19,10.1.1.32:20982,68.171.217.250:25,<,250-SIZE 52428800,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,20,10.1.1.32:20982,68.171.217.250:25,<,250-8BITMIME,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,21,10.1.1.32:20982,68.171.217.250:25,<,250-PIPELINING,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,22,10.1.1.32:20982,68.171.217.250:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,23,10.1.1.32:20982,68.171.217.250:25,<,250 HELP,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,24,10.1.1.32:20982,68.171.217.250:25,*,1467688,sending message
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,25,10.1.1.32:20982,68.171.217.250:25,>,MAIL FROM:<> SIZE=11044,
2014-08-01T20:02:20.675Z,Internet Mail(2010),08D16F6AD4285FCB,26,10.1.1.32:20982,68.171.217.250:25,>,RCPT TO:<infa9@selnig.com>,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCB,27,10.1.1.32:20982,68.171.217.250:25,<,250 OK,
2014-08-01T20:02:20.706Z,Internet Mail(2010),08D16F6AD4285FCA,0,,186.1.31.37:25,*,,attempting to connect
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,28,10.1.1.32:20982,68.171.217.250:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:20.769Z,Internet Mail(2010),08D16F6AD4285FCB,29,10.1.1.32:20982,68.171.217.250:25,>,QUIT,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,4,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,5,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,6,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,7,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,8,10.1.1.32:20981,37.156.33.28:25,<,250-STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,9,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,10,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,11,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,12,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,13,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCC,14,10.1.1.32:20981,37.156.33.28:25,>,STARTTLS,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCA,1,10.1.1.32:20984,186.1.31.37:25,+,,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,30,10.1.1.32:20982,68.171.217.250:25,<,221 yesod.webnetnspire.com closing connection,
2014-08-01T20:02:20.800Z,Internet Mail(2010),08D16F6AD4285FCB,31,10.1.1.32:20982,68.171.217.250:25,-,,Local
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCC,15,10.1.1.32:20981,37.156.33.28:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:20.940Z,Internet Mail(2010),08D16F6AD4285FCE,0,,184.172.106.42:25,*,,attempting to connect
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,2,10.1.1.32:20984,186.1.31.37:25,<,220 mail.ideay.net.ni ESMTP Postfix,
2014-08-01T20:02:21.190Z,Internet Mail(2010),08D16F6AD4285FCA,3,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,16,10.1.1.32:20981,37.156.33.28:25,*,,Received certificate
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,17,10.1.1.32:20981,37.156.33.28:25,*,FC9BE9BACBB3F08455B4CCF2F2AC61FB7BC4F6F1,Certificate thumbprint
2014-08-01T20:02:21.206Z,Internet Mail(2010),08D16F6AD4285FCC,18,10.1.1.32:20981,37.156.33.28:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,4,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,5,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,6,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,7,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,8,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,9,10.1.1.32:20984,186.1.31.37:25,<,250-STARTTLS,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,10,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,11,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,12,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.284Z,Internet Mail(2010),08D16F6AD4285FCA,13,10.1.1.32:20984,186.1.31.37:25,>,STARTTLS,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,19,10.1.1.32:20981,37.156.33.28:25,<,250-mail.myspacebox.ro,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,20,10.1.1.32:20981,37.156.33.28:25,<,250-PIPELINING,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,21,10.1.1.32:20981,37.156.33.28:25,<,250-SIZE 61440000,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,22,10.1.1.32:20981,37.156.33.28:25,<,250-ETRN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,23,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,24,10.1.1.32:20981,37.156.33.28:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,25,10.1.1.32:20981,37.156.33.28:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,26,10.1.1.32:20981,37.156.33.28:25,<,250-8BITMIME,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,27,10.1.1.32:20981,37.156.33.28:25,<,250 DSN,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,28,10.1.1.32:20981,37.156.33.28:25,*,1469701,sending message
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,29,10.1.1.32:20981,37.156.33.28:25,>,MAIL FROM:<> SIZE=11625,
2014-08-01T20:02:21.346Z,Internet Mail(2010),08D16F6AD4285FCC,30,10.1.1.32:20981,37.156.33.28:25,>,RCPT TO:<talonboy57fd@adventistdeva.org>,
2014-08-01T20:02:21.377Z,Internet Mail(2010),08D16F6AD4285FCA,14,10.1.1.32:20984,186.1.31.37:25,<,220 2.0.0 Ready to start TLS,
2014-08-01T20:02:21.455Z,Internet Mail(2010),08D16F6AD4285FCF,0,,141.8.225.63:25,*,,attempting to connect
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,31,10.1.1.32:20981,37.156.33.28:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,32,10.1.1.32:20981,37.156.33.28:25,<,450 4.1.1 <talonboy57fd@adventistdeva.org>: Recipient address rejected: User unknown in virtual mailbox table,
2014-08-01T20:02:21.486Z,Internet Mail(2010),08D16F6AD4285FCC,33,10.1.1.32:20981,37.156.33.28:25,>,QUIT,
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,15,10.1.1.32:20984,186.1.31.37:25,*,,Received certificate
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,16,10.1.1.32:20984,186.1.31.37:25,*,EE76B731626C375D5786D4D7D645763347D7D321,Certificate thumbprint
2014-08-01T20:02:21.564Z,Internet Mail(2010),08D16F6AD4285FCA,17,10.1.1.32:20984,186.1.31.37:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,34,10.1.1.32:20981,37.156.33.28:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.611Z,Internet Mail(2010),08D16F6AD4285FCC,35,10.1.1.32:20981,37.156.33.28:25,-,,Local
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,18,10.1.1.32:20984,186.1.31.37:25,<,250-mail.ideay.net.ni,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,19,10.1.1.32:20984,186.1.31.37:25,<,250-PIPELINING,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,20,10.1.1.32:20984,186.1.31.37:25,<,250-SIZE 52183040,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,21,10.1.1.32:20984,186.1.31.37:25,<,250-VRFY,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,22,10.1.1.32:20984,186.1.31.37:25,<,250-ETRN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,23,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,24,10.1.1.32:20984,186.1.31.37:25,<,250-AUTH=PLAIN LOGIN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,25,10.1.1.32:20984,186.1.31.37:25,<,250-ENHANCEDSTATUSCODES,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,26,10.1.1.32:20984,186.1.31.37:25,<,250-8BITMIME,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,27,10.1.1.32:20984,186.1.31.37:25,<,250 DSN,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,28,10.1.1.32:20984,186.1.31.37:25,*,1489384,sending message
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,29,10.1.1.32:20984,186.1.31.37:25,>,MAIL FROM:<> SIZE=11011,
2014-08-01T20:02:21.658Z,Internet Mail(2010),08D16F6AD4285FCA,30,10.1.1.32:20984,186.1.31.37:25,>,RCPT TO:<powers5a72@ideay.net.ni>,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,31,10.1.1.32:20984,186.1.31.37:25,<,250 2.1.0 Ok,
2014-08-01T20:02:21.767Z,Internet Mail(2010),08D16F6AD4285FCA,32,10.1.1.32:20984,186.1.31.37:25,<,550 5.1.1 <powers5a72@ideay.net.ni>: Recipient address rejected: ideay.net.ni,
2014-08-01T20:02:21.783Z,Internet Mail(2010),08D16F6AD4285FCA,33,10.1.1.32:20984,186.1.31.37:25,>,QUIT,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,34,10.1.1.32:20984,186.1.31.37:25,<,221 2.0.0 Bye,
2014-08-01T20:02:21.876Z,Internet Mail(2010),08D16F6AD4285FCA,35,10.1.1.32:20984,186.1.31.37:25,-,,Local
2014-08-01T20:02:22.454Z,Internet Mail(2010),08D16F6AD4285FD5,0,,201.130.193.100:25,*,,attempting to connect
2014-08-01T20:02:22.532Z,Internet Mail(2010),08D16F6AD4285FD5,1,10.1.1.32:20990,201.130.193.100:25,+,,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,2,10.1.1.32:20990,201.130.193.100:25,<,220 mail.cybercable.net.mx ESMTP,
2014-08-01T20:02:22.625Z,Internet Mail(2010),08D16F6AD4285FD5,3,10.1.1.32:20990,201.130.193.100:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,4,10.1.1.32:20990,201.130.193.100:25,<,250-mail.cybercable.net.mx,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,5,10.1.1.32:20990,201.130.193.100:25,<,250-PIPELINING,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,6,10.1.1.32:20990,201.130.193.100:25,<,250-8BITMIME,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,7,10.1.1.32:20990,201.130.193.100:25,<,250 AUTH LOGIN PLAIN CRAM-MD5,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,8,10.1.1.32:20990,201.130.193.100:25,*,1489386,sending message
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,9,10.1.1.32:20990,201.130.193.100:25,>,MAIL FROM:<>,
2014-08-01T20:02:22.703Z,Internet Mail(2010),08D16F6AD4285FD5,10,10.1.1.32:20990,201.130.193.100:25,>,RCPT TO:<jotreceiptc785@cybercable.net.mx>,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,11,10.1.1.32:20990,201.130.193.100:25,<,250 ok,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,12,10.1.1.32:20990,201.130.193.100:25,<,"550 sorry, no mailbox here by that name (#5.1.1 - chkusr)",
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,13,10.1.1.32:20990,201.130.193.100:25,>,QUIT,
2014-08-01T20:02:22.797Z,Internet Mail(2010),08D16F6AD4285FD5,14,10.1.1.32:20990,201.130.193.100:25,-,,Remote
2014-08-01T20:02:23.655Z,Internet Mail(2010),08D16F6AD4285FD6,0,,62.38.2.74:25,*,,attempting to connect
2014-08-01T20:02:23.811Z,Internet Mail(2010),08D16F6AD4285FD6,1,10.1.1.32:20996,62.38.2.74:25,+,,
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,2,10.1.1.32:20996,62.38.2.74:25,<,"220 XMail ESMTP service ready; Fri, 1 Aug 2014 23:02:25 +0300",
2014-08-01T20:02:23.967Z,Internet Mail(2010),08D16F6AD4285FD6,3,10.1.1.32:20996,62.38.2.74:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,4,10.1.1.32:20996,62.38.2.74:25,<,250-protect4.mail.hol.gr,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,5,10.1.1.32:20996,62.38.2.74:25,<,250-8BITMIME,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,6,10.1.1.32:20996,62.38.2.74:25,<,250-PIPELINING,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,7,10.1.1.32:20996,62.38.2.74:25,<,250 SIZE,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,8,10.1.1.32:20996,62.38.2.74:25,*,1489388,sending message
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,9,10.1.1.32:20996,62.38.2.74:25,>,MAIL FROM:<> SIZE=10738,
2014-08-01T20:02:24.310Z,Internet Mail(2010),08D16F6AD4285FD6,10,10.1.1.32:20996,62.38.2.74:25,>,RCPT TO:<ds28a@hol.gr>,
2014-08-01T20:02:24.669Z,Internet Mail(2010),08D16F6AD4285FD6,11,10.1.1.32:20996,62.38.2.74:25,<,250 OK,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,12,10.1.1.32:20996,62.38.2.74:25,<,550 Unknown recipient,
2014-08-01T20:02:25.028Z,Internet Mail(2010),08D16F6AD4285FD6,13,10.1.1.32:20996,62.38.2.74:25,>,QUIT,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD9,0,,195.64.179.242:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDA,0,,50.97.35.134:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FDB,0,,216.120.246.32:25,*,,attempting to connect
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,14,10.1.1.32:20996,62.38.2.74:25,<,221 XMail ESMTP service closing transmission channel,
2014-08-01T20:02:25.387Z,Internet Mail(2010),08D16F6AD4285FD6,15,10.1.1.32:20996,62.38.2.74:25,-,,Local
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDB,1,10.1.1.32:20999,216.120.246.32:25,+,,
2014-08-01T20:02:25.418Z,Internet Mail(2010),08D16F6AD4285FDA,1,10.1.1.32:20998,50.97.35.134:25,+,,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,2,10.1.1.32:20998,50.97.35.134:25,<,"220-app.eclarian.com ESMTP Exim 4.82 #2 Fri, 01 Aug 2014 15:02:26 -0500 ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,3,10.1.1.32:20998,50.97.35.134:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,4,10.1.1.32:20998,50.97.35.134:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.449Z,Internet Mail(2010),08D16F6AD4285FDA,5,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,6,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,7,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,8,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,9,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,10,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,11,10.1.1.32:20998,50.97.35.134:25,<,250-STARTTLS,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,12,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.480Z,Internet Mail(2010),08D16F6AD4285FDA,13,10.1.1.32:20998,50.97.35.134:25,>,STARTTLS,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,2,10.1.1.32:20999,216.120.246.32:25,<,"220-host28.hrwebservices.net ESMTP Exim 4.80.1 #2 Fri, 01 Aug 2014 16:02:26 -0400 ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,3,10.1.1.32:20999,216.120.246.32:25,<,"220-We do not authorize the use of this system to transport unsolicited, ",
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,4,10.1.1.32:20999,216.120.246.32:25,<,220 and/or bulk e-mail.,
2014-08-01T20:02:25.496Z,Internet Mail(2010),08D16F6AD4285FDB,5,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.511Z,Internet Mail(2010),08D16F6AD4285FDA,14,10.1.1.32:20998,50.97.35.134:25,<,220 TLS go ahead,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,6,10.1.1.32:20999,216.120.246.32:25,<,250-host28.hrwebservices.net Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,7,10.1.1.32:20999,216.120.246.32:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,8,10.1.1.32:20999,216.120.246.32:25,<,250-8BITMIME,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,9,10.1.1.32:20999,216.120.246.32:25,<,250-PIPELINING,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,10,10.1.1.32:20999,216.120.246.32:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,11,10.1.1.32:20999,216.120.246.32:25,<,250-STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,12,10.1.1.32:20999,216.120.246.32:25,<,250 HELP,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FDB,13,10.1.1.32:20999,216.120.246.32:25,>,STARTTLS,
2014-08-01T20:02:25.527Z,Internet Mail(2010),08D16F6AD4285FD9,1,10.1.1.32:20997,195.64.179.242:25,+,,
2014-08-01T20:02:25.574Z,Internet Mail(2010),08D16F6AD4285FDB,14,10.1.1.32:20999,216.120.246.32:25,<,220 TLS go ahead,
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,15,10.1.1.32:20998,50.97.35.134:25,*,,Received certificate
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,16,10.1.1.32:20998,50.97.35.134:25,*,22AE281345348B415DB0A695A65500BF40CFE30C,Certificate thumbprint
2014-08-01T20:02:25.589Z,Internet Mail(2010),08D16F6AD4285FDA,17,10.1.1.32:20998,50.97.35.134:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,18,10.1.1.32:20998,50.97.35.134:25,<,250-app.eclarian.com Hello vpn.gsuinc.ca [216.223.90.70],
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,19,10.1.1.32:20998,50.97.35.134:25,<,250-SIZE 52428800,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,20,10.1.1.32:20998,50.97.35.134:25,<,250-8BITMIME,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,21,10.1.1.32:20998,50.97.35.134:25,<,250-PIPELINING,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,22,10.1.1.32:20998,50.97.35.134:25,<,250-AUTH PLAIN LOGIN,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,23,10.1.1.32:20998,50.97.35.134:25,<,250 HELP,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,24,10.1.1.32:20998,50.97.35.134:25,*,1479411,sending message
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,25,10.1.1.32:20998,50.97.35.134:25,>,MAIL FROM:<> SIZE=11094,
2014-08-01T20:02:25.621Z,Internet Mail(2010),08D16F6AD4285FDA,26,10.1.1.32:20998,50.97.35.134:25,>,RCPT TO:<ganieve84@freedombaptistschools.org>,
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,15,10.1.1.32:20999,216.120.246.32:25,*,,Received certificate
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,16,10.1.1.32:20999,216.120.246.32:25,*,BC1D6B0D24DD862AE4AB825352A3F3D24607D8DC,Certificate thumbprint
2014-08-01T20:02:25.636Z,Internet Mail(2010),08D16F6AD4285FDB,17,10.1.1.32:20999,216.120.246.32:25,>,EHLO Brockman.shec.com,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,27,10.1.1.32:20998,50.97.35.134:25,<,250 OK,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,28,10.1.1.32:20998,50.97.35.134:25,<,451 Temporary local problem - please try later,
2014-08-01T20:02:25.652Z,Internet Mail(2010),08D16F6AD4285FDA,29,10.1.1.32:20998,50.97.35.134:25,>,QUIT,

Open in new window

0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
If you remove anonymous from the receive connector then you will get no email at all.
Tarpit is working well, so it looks like Exchange is doing everything that it can. The NDRs therefore could be OOTO, automatic replies etc.

Simon.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:ITGeneral
Comment Utility
So what about the spam that is coming from legit email addresses that we use? How are those being generated? Some of them I don't even think are accounts they're just additional aliases. Any way I can stop those?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Not a lot you can do to stop those, because that is how spammers work. They get legitimate addresses for your environment and then use those as the from headers. They hope that you have either whitelisted your own domain or it causes the email to look legitimate to the sender so that they open it.

Therefore the only way to block them is after delivery based on content in the more traditional way.

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
Wow that really sucks. Some of the addresses they are using are like I said never used - aliases most of the time. So just to come full circle on this - my contractor that is receiving SPAM from us - how would a spammer a) know that the particular email alias that they used even existed (with tarpitting and the fact that its an alias on another account - its NEVER used anywhere really) and b) how would they have gotten the email address for our contractor? Surely it couldn't just be random luck.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Who knows how they get the addresses?
They could have done a directory harvest attack, guessed, compromised a workstation and pulled the address off. If the address has been used ever, then it will get spam.

You say about random luck, I can point to a client who gets a lot of email for an address that looks like it should be legitimate, but has never been. I actually use it as a honeypot now, as it is so common in the spamming runs.

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
So is there anything more I can do about stuff like this?

spam.png
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Not really.
There is no magic fix for spam - every server gets it, and for most they have to use third party tools to deal with it.

Simon.
0
 

Author Comment

by:ITGeneral
Comment Utility
So again to come full circle on this. With regards to that original host header info at the top of the thread. Did that email in fact come from my mail server? And if it did I'm going to assume its from a compromised account - best way to find that I'm guessing is to look through the send connector for an account that is sending these types of emails?
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
If there is an external IP address in the header then it did not originate from your server.
However remember that a lot of headers in spam messages are forged, so cannot be depended on for any kind of diagnosis. The most effective spam blocking method is to block at the point of connection.

Simon.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
SBS 20011 to Office 365 7 48
Add a SafeSender to Exchange 6 22
Exchange 2007 export to PST 12 55
cached or not 5 34
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
how to add IIS SMTP to handle application/Scanner relays into office 365.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now