Finding the Sender

The-Messenger · ‎06-28-2011

Is it possible to find the email sender ip address in Ironport logs?

We recently had a virus outbreak, an infected computer -that no one could finde - was sending out email. Locating the computer would help this situation out.

Christopher Smith · ‎06-28-2011

Greetings,

it is possible to locate the original senders IP in the mail logs this would be listed under the ICID (injection connection ID) however If this is an outbound message that originated from within your organization it would have likely been routed through your mail server first. In most cases this means that the IP that will show up in the ICID will be that of our mail server that is specified in the relaylist sender group. If this an outgoing message then the only way that the PC's IP would show up in the mail logs would be if the PC's IP was allowed to relay outbound through the appliance.

You can locate the ICID for a message using the mail logs by first searching for something in the message such as the sender recipient or subject using the grep command in the CLI. The results will give you a MID which you can then perform a grep search on to locate the ICID.

You may also be able to obtain this data from the message headers however those are not stored on the IronPort appliance. The message header may or may not contain the IP of the workstation PC depending on the mail routing used in your environment. In most cases customers elect to have the Mail routed from the workstation to the mail server, such as exchange, then the mail server relay's the message out through the IronPort appliance. In this scenario the best bet is to consult the logs on exchange.

Below is some more specific information on searching the mail logs on the appliance using grep.

USING GREP

The first challenge, when searching mail logs, is to find your message. This can be done by searching for the sender, the recipient or for the Subject. Once you have found your message it is important to understand how the mail logs are organized. IronPort mail log events are given acronyms. The most important events are ICID > MID > RID > DCID.

ICID (Injection Connection ID):When a remote host established a connection to the appliance, that connection is assigned an ICID. One ICID can spawn many MIDS.

Note: An ‘ICID 0’ defines a message that was that was injected from itself. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device.

MID (Message ID): Once a connection is established, each successful SMTP "mail from:" command creates a new MID. A single MID can spawn many RIDs

RID (Recipient ID): Each recipient (To: CC: or BCC:) will get a RID. RIDs only spawn multiple DCIDs if there is a soft bounce (connection error) and delivery is re-attempted.

DCID (Delivery Connection ID): Each recipient going to the same destination domain will get the same DCID up to the up the limits of the receiving system -- so if a messages recipients are all going to the same domain, then there will be one DCID for all of the RIDs. If instead, each RID is going to a separate domain, then there will be a one to one correlation.

Note: A ‘DCID 0’ defines a message that was never sent out. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device

Generally, when you find your message, you will find it's MID. Then you grep for the MID and determine the ICID and RID. Using the ICID you can determine the SenderBase Reputation Score (SBRS) for the sender. Using the RID and then the DCID you can determine what happened when the ESA attempted delivery.

NOTE: Once you have the MID, ICID and DCID, you can retrieve all rows for that message in one grep, assuming that the message's beginings are not older than your oldest mail log:

example.com> grep -e " MID 11123" -e " ICID 11092" -e " DCID 23349" mail_logs

Here is an example using the message subject:

example.com> grep

Currently configured logs:

16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll

Enter the number of the log you wish to grep. []> 16

Enter the regular expression to grep. []> test

Do you want this search to be case insensitive? [Y]>

Do you want to tail the logs? [N]>

Do you want to paginate the output? [N]>

Mon Jan 23 10:25:03 2006 Info: SMTP listener testpairlist starting Tue Jan 24 12:10:15 2006 Info: Message aborted MID 8 Dropped by filter 'testdrop' Tue Jan 31 23:55:38 2006 Info: MID 32 Subject 'testmsgquarantine' Wed Feb 1 00:23:59 2006 Info: MID 62 Subject 'testmsgquarantine' Wed Feb 1 00:27:48 2006 Info: MID 64 Subject 'testmsg2' Wed Feb 1 22:30:37 2006 Info: MID 80 Subject 'test zip' Wed Feb 1 22:37:51 2006 Info: MID 83 Subject 'FW: test zip' Wed Feb 1 22:41:50 2006 Info: MID 84 Subject 'FW: test zip' Fri Feb 3 15:17:47 2006 Info: MID 94 Subject 'test' Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'

Here I got several matches that contained "test" in the subject. I know
that the message I'm looking for was sent at about 3:42pm, so I choose
that Message ID for my next search.

Note: *Do you want this search to be case insensitive? [Y]> Yes to this question will find entries regardless of case.

*Do you want to tail the logs? [N]> Yes, to this question will only find new entries as they are generated. It will not search all log files. Choose No to search all logs.

*Do you want to paginate the output? [N]> Yes to this question will display entries one page at a time. This is useful if you are doing a general search and expect to retrieve many entries. This stops the entries from scrolling off of the display.

2) Search for the message ID (MID):

mail.example.com> grep

Currently configured logs:

16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll

Enter the number of the log you wish to grep. []> 16

Enter the regular expression to grep. []> MID 96

Do you want this search to be case insensitive? [Y]>

Do you want to tail the logs? [N]>

Do you want to paginate the output? [N]>

Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394 Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com> Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To: <nasir@example.com> Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID '<4o8836$30@mail.example.com>' Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test' Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from <bob@example10.com> Fri Feb 3 15:42:06 2006 Info: MID 96 matched all recipients for per-recipient policy DEFAULT in the outbound table Fri Feb 3 15:42:06 2006 Info: MID 96 antivirus negative Fri Feb 3 15:42:06 2006 Info: MID 96 queued for delivery Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0] Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0] Fri Feb 3 15:42:06 2006 Info: MID 96 RID [0] Response '2.6.0 <4o8836$30@mail.example.com> Queued mail for delivery' Fri Feb 3 15:42:06 2006 Info: Message finished MID 96 done

Notice that the MID entries give you more information about the
processing of the message. The MID enties also reference the Incoming
Connection ID (ICID) and the Delivery Connection ID (DCID). If you want
to know more about the incoming connection, grep for the ICID. If you
want to know more about what happened when the IronPort attempted
delivery, grep for the DCID.

3) I am interested in finding where the message was delivered, so I grep
for the DCID

mail.example.com> grep

Currently configured logs:

16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll

Enter the number of the log you wish to grep. []> 16

Enter the regular expression to grep. []> DCID 14

Do you want this search to be case insensitive? [Y]>

Do you want to tail the logs? [N]>

Do you want to paginate the output? [N]>

Fri Feb 3 15:42:06 2006 Info: New SMTP DCID 14 interface 192.168.0.199 address 10.1.1.112 port 25 Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0] Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0] Fri Feb 3 15:42:11 2006 Info: DCID 14 close

Notice that the message was delivered from the 192.168.0.199 interface
to the host whith IP address 10.1.1.112 over port 25.

If delivery was not attempted, but the message was ‘queued for delivery’, this shows the system may be having difficulty communicating with the destination server. You can use ‘hoststatus’ from the CLI to see if the status of the recipient host is Down and to verify that the Ordered IPs match either your smtproutes for the destination domain or the public MX records, as applicable.

I hope that helps......

Christopher C Smith

CSE

Cisco IronPort Customer Support

dmorin003 · ‎12-08-2017

Not very helpful The original poster wanted to know where the message might have come FROM. You started focusing on that, but then reverted to focusing on details about sending the message OUT from IronPort.
So I have the ICID, now what? How do I get details about the incoming connection? THAT is what we're looking for, not details about the DCID.

Libin Varghese · ‎12-08-2017

The ICID should log information on which IP the connection came from and to which interface on the ESA it was injected to.

Wed Aug 9 19:15:46 2017 Info: New SMTP ICID 3 interface Management (10.106.36.202) address 10.106.36.94 reverse dns host unknown verified no

So for instance in the above connection came from 10.106.36.94 to ESA interface 10.106.36.202.

ESA does not log details beyond the mentioned IP as it sees only a single source.

Regards,

Libin Varghese

jgandla · ‎07-06-2011

Greetings,

In addition to Chris's suggestions, you can also obtain the Message-ID from the mail logs and search for it in your mail server (assuming it is Exchange server) to find the source of the sending IP address.

Hope this information helps.

Regards,

Jyothi Gandla

Customer Support Engineer