locked
help on smtp log RRS feed

  • Question


  • exch2003server (10.141.10.17) is an Exchange 2003 frontend server; 10.141.10.1 is one domain controller's IP
    here is the SMTP log on the exch2003server.  we tried to take down the exch2003server, but 10.141.10.1 (
    domain controller) seems to use exch2003server.  from the SMTP log (only two lines in the log):
    can anyone help to see whether 10.141.10.1 still uses exch2003server?  why 10.141.10.1 (
    domain controller) shows up in the SMTP log?

    ----------------------------------------------------------------------------------------
    Line 22084: 2014-06-02 13:21:15 10.141.10.1 xyz.com SMTPSVC1 exch2003server 10.141.10.17 0 HELO - +xyz.com 250 0 46 13 0 SMTP - - - -
    Line 22085: 2014-06-02 13:21:15 10.141.10.1 xyz.com SMTPSVC1 exch2003server  10.141.10.17 0 QUIT - xyz.com 240 0 68 4 0 SMTP - - - -

    Thank you.

    Wednesday, June 4, 2014 8:09 PM

Answers

  • If it's a true front-end server, then it shouldn't be routing SMTP mail.

    Those two lines say that the only transaction was someone or some server doing an HELO followed by a QUIT.  It looks like a test to me.  Are you sure protocol logging is enabled?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, June 4, 2014 8:15 PM

All replies

  • If it's a true front-end server, then it shouldn't be routing SMTP mail.

    Those two lines say that the only transaction was someone or some server doing an HELO followed by a QUIT.  It looks like a test to me.  Are you sure protocol logging is enabled?


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    Wednesday, June 4, 2014 8:15 PM
  • yes, it's true front-end server.  we are in the middle of taking down this Exchange 2003 server as we need to make sure other servers still configured to use it.  only these two lines confuse me.  no from, rcpt, bdat etc...

    just wonder why these two lines show in the SMTP log (protocol logging enabled)

    Wednesday, June 4, 2014 8:58 PM
  • what I do not understand is that the one of our domain controllers( IP 10.141.10.1) issues HELO to
    this exch2003server(10.141.10.17) with non-exist domain xyz.com.  Does mean someone hacked
    into our system since these servers are inside our private network?  Can anyone help?

    Thank you very much!

    Thursday, June 5, 2014 1:46 PM
  • can anyone provide the insight?  Thank you.
    Friday, June 6, 2014 1:34 PM
  • Just because it's a DC doesn't mean there isn't something running on it that uses SMTP. As Ed said, it may just be a bit of code the runs (maybe as a scheduled task) and checks to see if the SMTP server's still "alive".

    You haven't said anything about what you've done to track down whatever it is on the DC that's doing this.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Monday, June 9, 2014 2:58 AM
  • Hi Rich,
    Thanks for your reply.

    I checked DC and checked any app or scheduled tasks that could cause in the SMTP log.  No app or scheduled task.
    BTw, only teo lines are in the SMTP log:

    Line 22084: 2014-06-02 13:21:15 10.141.10.1 xyz.com SMTPSVC1 exch2003server 10.141.10.17 0 HELO - +xyz.com 250 0 46 13 0 SMTP - - - -
     Line 22085: 2014-06-02 13:21:15 10.141.10.1 xyz.com SMTPSVC1 exch2003server  10.141.10.17 0 QUIT - xyz.com 240 0 68 4 0 SMTP - - - -

    xyz.com (i used fake one) and xyz.com in the log is not smtp domain.  checked whois and it registered in Korea.

    I just want to find out why two lines are in the SMTP log from our DC?

    Thank you.

    Wednesday, June 11, 2014 1:41 PM
  • If you can't identify the process that's opening the connection you'll have to install something on the DC that can do that for you.

    TCPView is probably impractical (there's a lot of traffic on a DC), but NetMon should be able to accomplish that task.

    If the connection shows up on a regular basis you should be able to limit the amount the amount of data captured. If it only happens infrequently you'll have to capture a LOT of data -- but at least you'll be able to home in on the connection using time recorded in the SMT protocol log.


    --- Rich Matheisen MCSE&I, Exchange MVP

    Wednesday, June 11, 2014 4:23 PM