Richard B. Pyne:
> On 1/22/2016 6:42 PM, Wietse Venema wrote:
> > Richard B. Pyne:
> >> I am seeing thousands (19000 today) of Illegal address syntax errors in
> >> my logs that I suspect are coming from malware attempting to send spam.
> >> The IP address shown is from our corporate firewall. The mail server is
> >> outside.
> >>
> >> We require logging in to send mail, but I can't figure out how to track
> >> the real sender of the bad email addresses.
> >
> > You have the SMTP client IP address, which is the most credible
> > information that you have at this point. Test the address with one
> > of the many websites that will do a "dnsbl check" for you.
>
> All I have is the IP address of the firewall. I'm trying to track it
> back to the user behind that firewall. It is our own corporate office
> firewall. Our mail server is outside that firewall at a separate location.
To get the client IP address, you need firewall logs, or a sensor
on the inside of the firewall.
On the mail server side, it may be possible to determine the client
OS type by looking at network packets, for example with software
like p0f (that's 'p', zero, 'f'). Very likely, it will tell you
that the client is a Windows PC.
Wietse
