The other day we were working on a mail server of a customer’s that spammed insanely. Since the mail transfer agent it uses is exim, it’s necessary to check the mainlog files.

Whilst doing that, we realized the server was getting a lot of incoming mails as forgery. So, it is possible to get the IP list of the possible forgerers.

To do this, we need to check the lines that indicate an INCOMING message, and that claims it uses our mail server itself as a sender, but actually connects through a different IP address.

Exim uses the notation for incoming messages, so it is easy to catch.
It also uses the notation H=IP.ADD.RE.SS to state the IP address (or the hostname) of the incoming message. The beauty in this is that, it also gets the real IP address and checks if they match, if they don’t match, then it brackets the H= value like this H=(IP.ADD.RE.SS) and right after that, gives the real IP address with boxed brackets. [REAL.IP.ADD.RESS]

To detect forgeries done in a time period, and getting ONLY the IP address is crutial when you want check those IP addresses with others tools and scripts. So here’s an example grep line :

grep -ohP "(?

The example above, assumes that your mailserver’s IP Address is, of course this won’t be the case since it’s a local ip, so change that with yours.
It also checks for attempts in March 2012, you can also edit this, since we’re using the Perl compatible regular expressions (the -P option of grep) than we can use .. as wildcards for 2 characters (the day indicator).
Since we’re checkig for more than 1 file, (mainlog*) grep will output the filenames too, the -h option is to suppress that.
Also, we’re piping the output to uniq, so that we don’t get multiple results for the same IP address.
Now you can simply redirect these IP addresses to your script/tool or save them for other purpose.

Leave a Reply

Your email address will not be published. Required fields are marked *