Parse logs from Send Connector to collect Anonymous senders

%3CLINGO-SUB%20id%3D%22lingo-sub-1406974%22%20slang%3D%22en-US%22%3EParse%20logs%20from%20Send%20Connector%20to%20collect%20Anonymous%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1406974%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EI'm%20trying%20to%20restrict%20usage%20of%20open%20relay%20for%20anonymous%20users%20in%20our%20company.%20And%20I%20need%20to%20figure%20out%20who%20exactly%20uses%20it%2C%20so%20I%20turned%20on%20logging%2C%20but%20I%20don't%20know%20how%20to%20parse%20it.%20In%20the%20logs%20I'm%20getting%20something%20like%20that%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E2020-01-10T01%3A01%3A01.111X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C212%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C*%2C%2CProxying%20inbound%20session%20with%20session%20id%2001C1Z111DD1X11Z1%0A2020-01-10T01%3A01%3A01.111X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C213%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26gt%3B%2CRSET%2C%0A2020-01-10T01%3A01%3A01.112X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C214%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26lt%3B%2C250%202.0.0%20Resetting%2C%0A2020-01-10T01%3A01%3A01.112X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C215%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26gt%3B%2CXPROXYFROM%20SID%3D08D7F721DC0D9A14%20IP%3D215%2C192.168.1.1%20PORT%3D21111%20DOMAIN%3DCONTOSO.COM%20SEQNUM%3D1%20PERMS%3D1077%20AUTHsrc%3DAnonymous%2C%0A2020-01-10T01%3A01%3A01.113X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C216%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26lt%3B%2C250%20XProxyFrom%20accepted%2C%0A2020-01-10T01%3A01%3A01.113X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C217%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C*%2C%2Csending%20message%20with%20RecordId%20151516%20and%20InternetMessageId%20%3CJ6HD87FH-55H6-66H6-5G55-K9DJ47GK704Z%3E%0A2020-01-10T01%3A01%3A01.113X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C218%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26gt%3B%2CMAIL%20FROM%3A%3CTEST%3E%20SIZE%3D0%20AUTH%3D%26lt%3B%26gt%3B%20XMESSAGEVALUE%3DMediumHigh%2C%0A2020-01-10T01%3A01%3A01.113X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C219%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26gt%3B%2CRCPT%20TO%3A%3CRECEIVE%3E%2C%0A2020-01-10T01%3A01%3A01.115X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C210%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26lt%3B%2C250%202.1.0%20Sender%20OK%2C%0A2020-01-10T01%3A01%3A01.115X%2CInbound%20Proxy%20Internal%20Send%20Connector%2C01C1Z111DD1X11Z1%2C211%2C192.168.1.1%3A21111%2C192.168.1.2%3A5565%2C%26lt%3B%2C250%202.1.5%20Recipient%20OK%2C%3C%2FRECEIVE%3E%3C%2FTEST%3E%3C%2FJ6HD87FH-55H6-66H6-5G55-K9DJ47GK704Z%3E%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20hunting%20for%20%22AUTHsrc%3DAnonymous%22%20records.%26nbsp%3BIt's%20IP%2C%20FROM%20and%20TO%20values.%20But%20the%20amount%20of%20records%20and%20logs%20are%20huge.%3C%2FP%3E%3CP%3EHow%20do%20I%20parse%20it%3F%20I%20installed%20Log%20Parser%20Studio%2C%20but%20can't%20wrap%20my%20head%20around%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1406974%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1410219%22%20slang%3D%22en-US%22%3ERe%3A%20Parse%20logs%20from%20Send%20Connector%20to%20collect%20Anonymous%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1410219%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F674979%22%20target%3D%22_blank%22%3E%40Alex_Riben%3C%2FA%3EI%20would%20instead%20use%20Excel%20or%20PowerBI%20to%20do%20the%20data%20manipulation%20you%20are%20looking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3EConcatenate%20all%20the%20log%20files%20into%20one%20large%20CSV%3C%2FLI%3E%3CLI%3EImport%20the%20CSV%20to%20Excel%20or%20Power%20BI%3C%2FLI%3E%3CLI%3EIf%20Excel%2C%20convert%20it%20to%20a%20table%3C%2FLI%3E%3CLI%3EFilter%20the%20column%20with%20SMTP%20commands%20for%20%22contains%20AUTHsrc%3DAnonymous%22%3C%2FLI%3E%3CLI%3EThen%20the%20Remote%20IP%20address%20will%20be%20an%20IP%3APort%20combination%2C%20I%20would%20use%20the%20text%20to%20columns%20feature%20on%20that%20column%2C%20and%20use%20colon%20(%3A)%20as%20a%20delimiter.%3C%2FLI%3E%3CLI%3EThen%20use%20an%20Excel%20Pivot%20table%20on%20remote%20IP%20ranges%20and%20your%20end%20result%20would%20have%20the%20IPs%20that%20are%20sending.%26nbsp%3B%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20the%20only%20thing%20you%20needed%20that%20this%20doesn't%20get%20you%20is%20the%20To%20and%20From%20addresses%2C%20which%20is%20a%20bit%20harder%20since%20its%20a%20few%20lines%20down%20in%20the%20log%20from%20the%20authentication%2C%20but%20now%20that%20you%20did%20the%20text%20to%20columns%20above%2C%20you%20can%20then%20sort%2Ffilter%20by%20the%20sending%20IP%20and%20filter%20for%20the%20%22Mail%20From%22%20and%20%22Rcpt%20To%22%20lines.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps.%3C%2FP%3E%3CP%3EChris%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1415479%22%20slang%3D%22en-US%22%3ERe%3A%20Parse%20logs%20from%20Send%20Connector%20to%20collect%20Anonymous%20senders%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1415479%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F166526%22%20target%3D%22_blank%22%3E%40Chris%20Lehr%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EI%20used%20the%20following%20query%20(below)%20and%20then%20moved%20ti%20XLS%20to%20parse%20it.%20Worked%20perfectly.%3C%2FP%3E%3CP%3EThanks%20for%20the%20help.%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3ESELECT%20session-id%2Cdata%20FROM%20'%5BLOGFILEPATH%5D'%0AWHERE%20data%20LIKE%20'%25IP%3D%25'%20OR%20data%20LIKE%20'MAIL%20FROM%3A%25'%20OR%20data%20LIKE%20'RCPT%20TO%3A%25'%3C%2FCODE%3E%3C%2FPRE%3E%3C%2FLINGO-BODY%3E
Highlighted
Regular Visitor

Hi,

I'm trying to restrict usage of open relay for anonymous users in our company. And I need to figure out who exactly uses it, so I turned on logging, but I don't know how to parse it. In the logs I'm getting something like that:

 

2020-01-10T01:01:01.111X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,212,192.168.1.1:21111,192.168.1.2:5565,*,,Proxying inbound session with session id 01C1Z111DD1X11Z1
2020-01-10T01:01:01.111X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,213,192.168.1.1:21111,192.168.1.2:5565,>,RSET,
2020-01-10T01:01:01.112X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,214,192.168.1.1:21111,192.168.1.2:5565,<,250 2.0.0 Resetting,
2020-01-10T01:01:01.112X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,215,192.168.1.1:21111,192.168.1.2:5565,>,XPROXYFROM SID=08D7F721DC0D9A14 IP=215,192.168.1.1 PORT=21111 DOMAIN=CONTOSO.COM SEQNUM=1 PERMS=1077 AUTHsrc=Anonymous,
2020-01-10T01:01:01.113X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,216,192.168.1.1:21111,192.168.1.2:5565,<,250 XProxyFrom accepted,
2020-01-10T01:01:01.113X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,217,192.168.1.1:21111,192.168.1.2:5565,*,,sending message with RecordId 151516 and InternetMessageId <j6hd87fh-55h6-66h6-5g55-k9dj47gk704z@VM1203102312.contoso.com>
2020-01-10T01:01:01.113X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,218,192.168.1.1:21111,192.168.1.2:5565,>,MAIL FROM:<test@contoso.com> SIZE=0 AUTH=<> XMESSAGEVALUE=MediumHigh,
2020-01-10T01:01:01.113X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,219,192.168.1.1:21111,192.168.1.2:5565,>,RCPT TO:<receive@contoso.com>,
2020-01-10T01:01:01.115X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,210,192.168.1.1:21111,192.168.1.2:5565,<,250 2.1.0 Sender OK,
2020-01-10T01:01:01.115X,Inbound Proxy Internal Send Connector,01C1Z111DD1X11Z1,211,192.168.1.1:21111,192.168.1.2:5565,<,250 2.1.5 Recipient OK,

 

I'm hunting for "AUTHsrc=Anonymous" records. It's IP, FROM and TO values. But the amount of records and logs are huge.

How do I parse it? I installed Log Parser Studio, but can't wrap my head around it.

 

2 Replies
Highlighted

@Alex_RibenI would instead use Excel or PowerBI to do the data manipulation you are looking for.

 

  1. Concatenate all the log files into one large CSV
  2. Import the CSV to Excel or Power BI
  3. If Excel, convert it to a table
  4. Filter the column with SMTP commands for "contains AUTHsrc=Anonymous"
  5. Then the Remote IP address will be an IP:Port combination, I would use the text to columns feature on that column, and use colon (:) as a delimiter.
  6. Then use an Excel Pivot table on remote IP ranges and your end result would have the IPs that are sending. 

 

Now, the only thing you needed that this doesn't get you is the To and From addresses, which is a bit harder since its a few lines down in the log from the authentication, but now that you did the text to columns above, you can then sort/filter by the sending IP and filter for the "Mail From" and "Rcpt To" lines.

 

Hope this helps.

Chris

 

Highlighted

@Chris Lehr 
I used the following query (below) and then moved ti XLS to parse it. Worked perfectly.

Thanks for the help.

SELECT session-id,data FROM '[LOGFILEPATH]'
WHERE data LIKE '%IP=%' OR data LIKE 'MAIL FROM:%' OR data LIKE 'RCPT TO:%'