Quick repro:
$ telnet 172.18.249.222 25
Trying 172.18.249.222...
Connected to dhcp-172-18-249-222.cisco.com.
Escape character is '^]'.
220 royale3.local ESMTP
helo
250 royale3.local
mail from:
250 sender <> ok
rcpt to: test@test.com
550 #5.1.0 Address rejected.
rcpt to: test@test.com
550 #5.1.0 Address rejected.
rcpt to: test@test.com
550 Too many invalid recipients
Connection closed by foreign host.
So - in mail logs, you should search and find similar:
Wed Jul 22 11:59:13 2015 Info: New SMTP ICID 266513 interface Management (172.18.249.222) address 10.XXX.54.15 reverse dns host dhcp-10-XXX-54-15.cisco.com verified yes
Wed Jul 22 11:59:13 2015 Info: ICID 266513 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS rfc1918
Wed Jul 22 11:59:18 2015 Info: Start MID 164871 ICID 266513
Wed Jul 22 11:59:18 2015 Info: MID 164871 ICID 266513 From: <>
Wed Jul 22 11:59:24 2015 Info: MID 164871 ICID 266513 To: <test@test.com> Rejected by RAT
Wed Jul 22 11:59:29 2015 Info: MID 164871 ICID 266513 To: <test@test.com> Rejected by RAT
Wed Jul 22 11:59:34 2015 Info: MID 164871 ICID 266513 To: <test@test.com> Rejected by RAT
Wed Jul 22 11:59:34 2015 Warning: Dropping connection due to potential Directory Harvest Attack from host=('10.XXX.54.15', 'dhcp-10-XXX-54-15.cisco.com'), dhap_limit=2, sender_group=UNKNOWNLIST, listener=inbound, reverse_dns=10.150.54.15, ICID 266513
Wed Jul 22 11:59:34 2015 Warning: Potential Directory Harvest Attack detected. See the system mail logs for more information about this attack.
Wed Jul 22 11:59:34 2015 Info: Message aborted MID 164871 Receiving aborted
Wed Jul 22 11:59:34 2015 Info: Message finished MID 164871 aborted
Wed Jul 22 11:59:34 2015 Info: ICID 266513 close
