Exchange Logs Help

Falcon IT Services 226 Reputation points
2022-12-27T21:26:05.92+00:00

Hello, I need some help deciphering the Exchange transport logs. I have several logs that look roughly the same as the ones below, except that the external WAN differs, about 100-200 per day, intermittently in bursts. I am not sure if it's back scatter or probes for open relay. What's puzzling is that the source is the internal Exchange server's IP address, so I believe it may be the server trying to send out an NDR if it's back scatter OR possibly the servers reply to the sender being denied by our UTM firewall's block list.

The alerts are driving my SOC admin crazy. I cannot black list the WAN IPs they are too many. We have no open relay, SPF -all and ESET security for Exchange. If I can figure out exactly what they are, I can try to block them at the edge without changing the alert monitoring levels.

The red squares indicate where our local Exchange server IP is. Since the local IP is before the remote WAN IP, I'm thinking EXCH is the source, or is it backwards somehow?

274299-image.png

274392-image.png

Thanks

Exchange | Exchange Server | Management
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. LilyLi2-MSFT 1,981 Reputation points
    2022-12-28T10:14:55.003+00:00

    Hi @Falcon IT Services ,

    From your screenshot, the Exchange Front End Transport service is receiving e-mail messages.
    By default, the default Receive connector named Default Frontend <ServerName> in the Front End Transport service enables protocol logging.
    And one SMTP conversation that represents receiving a single email message generates multiple SMTP events. Each event is recorded on a separate line in the protocol log

    You mean you don't want to receive emails from WAN IPs? If so, it is always recommended to blacklist it to block it.

    Reference article: protocol-logging

    1 person found this answer helpful.
    0 comments No comments

  2. Falcon IT Services 226 Reputation points
    2022-12-28T15:15:25.417+00:00

    Thank you that's what I suspected, but I wasn't sure because the internal IP was before the WAN IP, usually in router logs I see it the other way around. Thank you for clarifying it for me LilyLi2, have a great Christmas and a happy New Year.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.