06-28-2011 08:07 AM
Is it possible to find the email sender ip address in Ironport logs?
We recently had a virus outbreak, an infected computer -that no one could finde - was sending out email. Locating the computer would help this situation out.
06-28-2011 05:38 PM
Greetings,
it is possible to locate the original senders IP in the mail logs this would be listed under the ICID (injection connection ID) however If this is an outbound message that originated from within your organization it would have likely been routed through your mail server first. In most cases this means that the IP that will show up in the ICID will be that of our mail server that is specified in the relaylist sender group. If this an outgoing message then the only way that the PC's IP would show up in the mail logs would be if the PC's IP was allowed to relay outbound through the appliance.
You can locate the ICID for a message using the mail logs by first searching for something in the message such as the sender recipient or subject using the grep command in the CLI. The results will give you a MID which you can then perform a grep search on to locate the ICID.
You may also be able to obtain this data from the message headers however those are not stored on the IronPort appliance. The message header may or may not contain the IP of the workstation PC depending on the mail routing used in your environment. In most cases customers elect to have the Mail routed from the workstation to the mail server, such as exchange, then the mail server relay's the message out through the IronPort appliance. In this scenario the best bet is to consult the logs on exchange.
Below is some more specific information on searching the mail logs on the appliance using grep.
USING GREP
The first challenge, when searching mail logs, is to find your message. This can be done by searching for the sender, the recipient or for the Subject. Once you have found your message it is important to understand how the mail logs are organized. IronPort mail log events are given acronyms. The most important events are ICID > MID > RID > DCID.
ICID (Injection Connection ID):When a remote host established a connection to the appliance, that connection is assigned an ICID. One ICID can spawn many MIDS.
Note: An ‘ICID 0’ defines a message that was that was injected from itself. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device.
MID (Message ID): Once a connection is established, each successful SMTP "mail from:" command creates a new MID. A single MID can spawn many RIDs
RID (Recipient ID): Each recipient (To: CC: or BCC:) will get a RID. RIDs only spawn multiple DCIDs if there is a soft bounce (connection error) and delivery is re-attempted.
DCID (Delivery Connection ID): Each recipient going to the same destination domain will get the same DCID up to the up the limits of the receiving system -- so if a messages recipients are all going to the same domain, then there will be one DCID for all of the RIDs. If instead, each RID is going to a separate domain, then there will be a one to one correlation.
Note: A ‘DCID 0’ defines a message that was never sent out. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device
Generally, when you find your message, you will find it's MID. Then you grep for the MID and determine the ICID and RID. Using the ICID you can determine the SenderBase Reputation Score (SBRS) for the sender. Using the RID and then the DCID you can determine what happened when the ESA attempted delivery.
NOTE: Once you have the MID, ICID and DCID, you can retrieve all rows for that message in one grep, assuming that the message's beginings are not older than your oldest mail log:
example.com> grep -e " MID 11123" -e " ICID 11092" -e " DCID 23349" mail_logs
Here is an example using the message subject:
example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> test
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Mon Jan 23 10:25:03 2006 Info: SMTP listener testpairlist starting
Tue Jan 24 12:10:15 2006 Info: Message aborted MID 8 Dropped by filter
'testdrop'
Tue Jan 31 23:55:38 2006 Info: MID 32 Subject 'testmsgquarantine'
Wed Feb 1 00:23:59 2006 Info: MID 62 Subject 'testmsgquarantine'
Wed Feb 1 00:27:48 2006 Info: MID 64 Subject 'testmsg2'
Wed Feb 1 22:30:37 2006 Info: MID 80 Subject 'test zip'
Wed Feb 1 22:37:51 2006 Info: MID 83 Subject 'FW: test zip'
Wed Feb 1 22:41:50 2006 Info: MID 84 Subject 'FW: test zip'
Fri Feb 3 15:17:47 2006 Info: MID 94 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Here I got several matches that contained "test" in the subject. I know
that the message I'm looking for was sent at about 3:42pm, so I choose
that Message ID for my next search.
Note:
*Do you want this search to be case insensitive? [Y]> Yes to this question will find entries regardless of case.
*Do you want to tail the logs? [N]> Yes, to this question will only find new entries as they are generated. It will not search all log files. Choose No to search all logs.
*Do you want to paginate the output? [N]> Yes to this question will display entries one page at a time. This is useful if you are doing a general search and expect to retrieve many entries. This stops the entries from scrolling off of the display.
2) Search for the message ID (MID):
mail.example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> MID 96
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example10.com>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
'<4o8836$30@mail.example.com>'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example10.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 matched all recipients for
per-recipient policy DEFAULT in the outbound table
Fri Feb 3 15:42:06 2006 Info: MID 96 antivirus negative
Fri Feb 3 15:42:06 2006 Info: MID 96 queued for delivery
Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: MID 96 RID [0] Response '2.6.0
<4o8836$30@mail.example.com> Queued mail for delivery'
Fri Feb 3 15:42:06 2006 Info: Message finished MID 96 done
Notice that the MID entries give you more information about the
processing of the message. The MID enties also reference the Incoming
Connection ID (ICID) and the Delivery Connection ID (DCID). If you want
to know more about the incoming connection, grep for the ICID. If you
want to know more about what happened when the IronPort attempted
delivery, grep for the DCID.
3) I am interested in finding where the message was delivered, so I grep
for the DCID
mail.example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> DCID 14
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Fri Feb 3 15:42:06 2006 Info: New SMTP DCID 14 interface 192.168.0.199
address 10.1.1.112 port 25
Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:11 2006 Info: DCID 14 close
Notice that the message was delivered from the 192.168.0.199 interface
to the host whith IP address 10.1.1.112 over port 25.
If delivery was not attempted, but the message was ‘queued for delivery’, this shows the system may be having difficulty communicating with the destination server. You can use ‘hoststatus’ from the CLI to see if the status of the recipient host is Down and to verify that the Ordered IPs match either your smtproutes for the destination domain or the public MX records, as applicable.
I hope that helps......
Christopher C Smith
CSE
Cisco IronPort Customer Support
12-08-2017 01:27 PM
Not very helpful The original poster wanted to know where the message might have come FROM. You started focusing on that, but then reverted to focusing on details about sending the message OUT from IronPort.
So I have the ICID, now what? How do I get details about the incoming connection? THAT is what we're looking for, not details about the DCID.
12-08-2017 09:08 PM
The ICID should log information on which IP the connection came from and to which interface on the ESA it was injected to.
Wed Aug 9 19:15:46 2017 Info: New SMTP ICID 3 interface Management (10.106.36.202) address 10.106.36.94 reverse dns host unknown verified no
So for instance in the above connection came from 10.106.36.94 to ESA interface 10.106.36.202.
ESA does not log details beyond the mentioned IP as it sees only a single source.
Regards,
Libin Varghese
07-06-2011 10:51 PM
Greetings,
In addition to Chris's suggestions, you can also obtain the Message-ID from the mail logs and search for it in your mail server (assuming it is Exchange server) to find the source of the sending IP address.
Hope this information helps.
Regards,
Jyothi Gandla
Customer Support Engineer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide