Exchange Logs Help

Question

Hello, I need some help deciphering the Exchange transport logs. I have several logs that look roughly the same as the ones below, except that the external WAN differs, about 100-200 per day, intermittently in bursts. I am not sure if it's back scatter or probes for open relay. What's puzzling is that the source is the internal Exchange server's IP address, so I believe it may be the server trying to send out an NDR if it's back scatter OR possibly the servers reply to the sender being denied by our UTM firewall's block list.

The alerts are driving my SOC admin crazy. I cannot black list the WAN IPs they are too many. We have no open relay, SPF -all and ESET security for Exchange. If I can figure out exactly what they are, I can try to block them at the edge without changing the alert monitoring levels.

The red squares indicate where our local Exchange server IP is. Since the local IP is before the remote WAN IP, I'm thinking EXCH is the source, or is it backwards somehow?

Thanks

Answer 1

Hi @Falcon IT Services ,

From your screenshot, the Exchange Front End Transport service is receiving e-mail messages.
By default, the default Receive connector named Default Frontend <ServerName> in the Front End Transport service enables protocol logging.
And one SMTP conversation that represents receiving a single email message generates multiple SMTP events. Each event is recorded on a separate line in the protocol log

You mean you don't want to receive emails from WAN IPs? If so, it is always recommended to blacklist it to block it.

Reference article: protocol-logging

Answer 2

Thank you that's what I suspected, but I wasn't sure because the internal IP was before the WAN IP, usually in router logs I see it the other way around. Thank you for clarifying it for me LilyLi2, have a great Christmas and a happy New Year.