How to find local message details | MDaemon Technologies, Ltd.
  1. Forum
  2. MDaemon
  3. How to find local message details

How to find local message details

  • P

    In the Que manager, how to we check for local message? Email was sent to an alias but it doesnt show in Que Manager/all log, when I open the all log file with notepad, I see the alias but no other info like IP but just the alias and from address. Any way to find the IP of sender?

    Thank you.

    0 likes
  • A

    My apologies for the delay in responding.  Is MDaemon configured to log summarized mail session or detailed mail sessions? (Setup / Server Settings / Logging / Log Mode) If you are logging summarized mail sessions, there will be a limited amount of information in the logs.  

    If you have the message, you should be able to open the MSG file on the server using a text editor, or view the source of the message using your email client, the X-MDRemoteIP header will have the IP address the message was received from.

     

     

    --
    Arron Caruth

    0 likes
  • P

    Thank you for your reply.

    Our logs are set to detailed yet some of the emails didnt show ip.

    Our Smtp requires authentication but some spams are still getting through and some didn't have IP's associated with it.

    would it mean one of our accounts were compromised? It doesn't seem like it but just being cautios.

    Thank you.

    0 likes
  • A

    Was the message received via SMTP? Where multiple messages sent in the same SMTP session? Can you provide a log snippet that shows the entire inbound session from the log file?

    The inbound SMTP session should always start with something like this:

    Wed 2025-01-08 07:12:32.160: [10214051] Session 10214051; child 0001
    Wed 2025-01-08 07:12:32.160: [10214051] Accepting SMTP connection from 185.174.194.131:54934 to 192.168.1.101:25

    If you are looking at a session that is not starting with that, then the session must have started earlier in the log.

    I'll need more information to know if an account was compromised.

    Can you also post the headers from the message that was received? 

     

     

    --
    Arron Caruth

    0 likes
  • P

    Thank you for your reply.

    adding header part. Removed some IP's and email.

    Fri 2025-01-03 20:10:55.846: Session 13262254; child 0001
    Fri 2025-01-03 20:10:55.846: Accepting SMTP connection from 5.172.194.213:54179 to Removed:25
    Fri 2025-01-03 20:10:55.846: Location Screen says connection is from Greece, Europe
    Fri 2025-01-03 20:10:55.847: --> 220 londonjewelers.com ESMTP MDaemon 24.5.2; Fri, 03 Jan 2025 20:10:55 -0500
    Fri 2025-01-03 20:10:55.966: <-- EHLO static.213.194.172.5.clients.lancom.gr
    Fri 2025-01-03 20:10:55.966: --> 250-londonjewelers.com Hello static.213.194.172.5.clients.lancom.gr [5.172.194.213], pleased to meet you
    Fri 2025-01-03 20:10:55.966: --> 250-ETRN
    Fri 2025-01-03 20:10:55.966: --> 250-AUTH LOGIN CRAM-MD5 PLAIN
    Fri 2025-01-03 20:10:55.966: --> 250-8BITMIME
    Fri 2025-01-03 20:10:55.966: --> 250-ENHANCEDSTATUSCODES
    Fri 2025-01-03 20:10:55.966: --> 250-PIPELINING
    Fri 2025-01-03 20:10:55.966: --> 250-CHUNKING
    Fri 2025-01-03 20:10:55.966: --> 250-STARTTLS
    Fri 2025-01-03 20:10:55.966: --> 250 SIZE
    Fri 2025-01-03 20:10:56.093: <-- MAIL FROM:<fidelity.edocuments@mail.fidelity.com>
    Fri 2025-01-03 20:10:56.093: Performing PTR lookup (213.194.172.5.IN-ADDR.ARPA)
    Fri 2025-01-03 20:10:56.098: *  D=213.194.172.5.IN-ADDR.ARPA TTL=(644) PTR=[static.213.194.172.5.clients.lancom.gr]
    Fri 2025-01-03 20:11:07.689: *  DNS: 10 second wait for DNS response exceeded (DNS Server: Removed)
    Fri 2025-01-03 20:11:07.689: *  No A/AAAA records found
    Fri 2025-01-03 20:11:07.689: ---- End PTR results
    Fri 2025-01-03 20:11:07.689: Performing IP lookup (static.213.194.172.5.clients.lancom.gr)
    Fri 2025-01-03 20:11:17.695: *  DNS: 10 second wait for DNS response exceeded (DNS Server: Removed)
    Fri 2025-01-03 20:11:17.695: *  DNS server reports domain name unknown
    Fri 2025-01-03 20:11:17.695: ---- End IP lookup results
    Fri 2025-01-03 20:11:17.695: Performing IP lookup (mail.fidelity.com)
    Fri 2025-01-03 20:11:27.730: *  DNS: 10 second wait for DNS response exceeded (DNS Server: Removed)
    Fri 2025-01-03 20:11:27.741: *  P=010 S=000 D=mail.fidelity.com TTL=(5) MX=[inbound-reply.s4.exacttarget.com]
    Fri 2025-01-03 20:11:27.749: *  D=inbound-reply.s4.exacttarget.com TTL=(5) A=[198.245.89.114]
    Fri 2025-01-03 20:11:27.750: ---- End IP lookup results
    Fri 2025-01-03 20:11:27.750: --> 250 2.1.0 Sender OK
    Fri 2025-01-03 20:11:27.915: <-- RCPT TO:<Removed>
    Fri 2025-01-03 20:11:27.919: --> 250 2.1.5 Recipient OK
    Fri 2025-01-03 20:11:28.062: <-- DATA
    Fri 2025-01-03 20:11:28.063: --> 354 Enter mail, end with <CRLF>.<CRLF>
    Fri 2025-01-03 20:11:28.300: Message size: 35804 bytes
    Fri 2025-01-03 20:11:28.300: Performing DKIM verification
    Fri 2025-01-03 20:11:28.300: *  File: d:\mdaemon\queues\temp\md5001000005238.tmp
    Fri 2025-01-03 20:11:28.300: *  Message-ID: <20250104031052.CD65A76E5E32F6CF@mail.fidelity.com>
    Fri 2025-01-03 20:11:28.300: *  Result: neutral
    Fri 2025-01-03 20:11:28.300: ---- End DKIM results
    Fri 2025-01-03 20:11:28.303: Passing message through AntiVirus (Size: 35804)...
    Fri 2025-01-03 20:11:28.375: *  Message is clean (no viruses found) scanned by (IKARUS: clean (0.00369s)) (ClamAV: clean (0.04547s))
    Fri 2025-01-03 20:11:28.375: ---- End AntiVirus results
    Fri 2025-01-03 20:11:28.473: Passing message through Outbreak Protection...
    Fri 2025-01-03 20:11:28.473: *  Message-ID: <20250104031052.CD65A76E5E32F6CF@mail.fidelity.com>
    Fri 2025-01-03 20:11:28.473: *  Reference-ID: str=0001.0A006368.677873A2.0024,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    Fri 2025-01-03 20:11:28.473: *  Virus result: 0 - Clean
    Fri 2025-01-03 20:11:28.473: *  Spam result: 3 - Spam (bulk)
    Fri 2025-01-03 20:11:28.473: *  IWF result: 0 - Clean
    Fri 2025-01-03 20:11:28.473: ---- End Outbreak Protection results
    Fri 2025-01-03 20:11:28.475: Passing message through Spam Filter (Size: 35804)...
    Fri 2025-01-03 20:11:28.676: *  1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60%
    Fri 2025-01-03 20:11:28.676: *      [score: 0.5000]
    Fri 2025-01-03 20:11:28.676: *  3.5 MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish
    Fri 2025-01-03 20:11:28.676: *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    Fri 2025-01-03 20:11:28.676: *  0.0 HTML_MESSAGE BODY: HTML included in message
    Fri 2025-01-03 20:11:28.676: *  0.0 T_HK_SPAMMY_FILENAME No description available.
    Fri 2025-01-03 20:11:28.676: *  2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
    Fri 2025-01-03 20:11:28.676: *      1)
    Fri 2025-01-03 20:11:28.676: *  1.3 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
    Fri 2025-01-03 20:11:28.676: *      blocklist
    Fri 2025-01-03 20:11:28.676: *      [URI: qeip.phondpoidy.ru]
    Fri 2025-01-03 20:11:28.676: *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    Fri 2025-01-03 20:11:28.676: *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    Fri 2025-01-03 20:11:28.676: *      for more information.
    Fri 2025-01-03 20:11:28.676: *      [URI: phondpoidy.ru]
    Fri 2025-01-03 20:11:28.676: ---- End SpamAssassin results
    Fri 2025-01-03 20:11:28.676: Spam Filter score/req: 8.50/15.0
    Fri 2025-01-03 20:11:28.825: Message creation successful: d:\mdaemon\queues\inbound\md5001016506686.msg
    Fri 2025-01-03 20:11:28.825: --> 250 2.6.0 Ok, message saved <Message-ID: <20250104031052.CD65A76E5E32F6CF@mail.fidelity.com>>
    Fri 2025-01-03 20:11:28.830: <-- QUIT
    Fri 2025-01-03 20:11:28.830: --> 221 2.0.0 See ya in cyberspace
    Fri 2025-01-03 20:11:28.830: SMTP session successful (Bytes in/out: 35959/530)
    Fri 2025-01-03 20:11:28.830: ----------
    Fri 2025-01-03 20:11:28.833: (SMTP) Spam Filter processing d:\mdaemon\queues\temp\md5001000005238.tmp...
    Fri 2025-01-03 20:11:28.833: *  Message return-path: fidelity.edocuments@mail.fidelity.com
    Fri 2025-01-03 20:11:28.834: *  Message ID: <20250104031052.CD65A76E5E32F6CF@mail.fidelity.com>
    Fri 2025-01-03 20:11:28.834: Start SpamAssassin results
    Fri 2025-01-03 20:11:28.834: 08.50 points, 9.0 required;
    Fri 2025-01-03 20:11:28.834: *  1.6 BAYES_50 BODY: Bayes spam probability is 40 to 60%
    Fri 2025-01-03 20:11:28.834: *      [score: 0.5000]
    Fri 2025-01-03 20:11:28.834: *  3.5 MDAEMON_OP_SPAM_HIGH MDaemon: spam/phish
    Fri 2025-01-03 20:11:28.834: *  0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
    Fri 2025-01-03 20:11:28.834: *  0.0 HTML_MESSAGE BODY: HTML included in message
    Fri 2025-01-03 20:11:28.834: *  0.0 T_HK_SPAMMY_FILENAME No description available.
    Fri 2025-01-03 20:11:28.834: *  2.0 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr
    Fri 2025-01-03 20:11:28.834: *      1)
    Fri 2025-01-03 20:11:28.834: *  1.3 URIBL_ABUSE_SURBL Contains an URL listed in the ABUSE SURBL
    Fri 2025-01-03 20:11:28.834: *      blocklist
    Fri 2025-01-03 20:11:28.834: *      [URI: qeip.phondpoidy.ru]
    Fri 2025-01-03 20:11:28.834: *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
    Fri 2025-01-03 20:11:28.834: *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
    Fri 2025-01-03 20:11:28.834: *      for more information.
    Fri 2025-01-03 20:11:28.834: *      [URI: phondpoidy.ru]
    Fri 2025-01-03 20:11:28.834: End SpamAssassin results
    Fri 2025-01-03 20:11:28.834: ----------
    Fri 2025-01-03 20:11:28.834: Passing message through Outbreak Protection...
    Fri 2025-01-03 20:11:28.834: *  Message-ID: <20250104031052.CD65A76E5E32F6CF@mail.fidelity.com>
    Fri 2025-01-03 20:11:28.834: *  Reference-ID: str=0001.0A006368.677873A2.0024,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    Fri 2025-01-03 20:11:28.834: *  Virus result: 0 - Clean
    Fri 2025-01-03 20:11:28.834: *  Spam result: 3 - Spam (bulk)
    Fri 2025-01-03 20:11:28.834: *  IWF result: 0 - Clean
    Fri 2025-01-03 20:11:28.835: ----------

    0 likes
  • A

    Nothing in the log snippets provided indicate that an account has been compromised.  

    --
    Arron Caruth

    0 likes
  • P

    Thank you for your reply.

    Just another newbie question.

    our port 25 requires authentication for access, how are these emails getting through?

    do incoming emails not require authentication?

    Thank you.

    0 likes
  • A

    Typically, the mail server is configured to require authentication for messages from local users.  This message is not from a local user, so it does not require authentication.  If authentication was required for mail from non local senders, then you would not be able to receive email from anyone unless they had a local account on the server.

    Security / Sender Authentication / SMTP Authentication has options for "Authentication is always required when mail is sent from local accounts" and "Authentication is always required when mail is sent from Local IPs", but there is not an option for the SMTP port to require that ever connection authenticates.  

    The MSA Port (587) requires that every connection authenticates, but it is intended to be used by the email clients of local users when sending mail.

     

    --
    Arron Caruth

    0 likes
  • P

    Thank you so much for that explanation!

    Really appreciated it!

    0 likes
Please login to reply this topic!