Related ip in log viewer - ORF Forums

Related ip in log viewer RSS Back to forum

1

i read a previous post with the same issue which doesnt seem to address the issue

i am running exchange 2013 and have ORF installed on the server where exchange resides. all roles are local to the same machine. mail flows from the outside to the firewall then to the inside host. my network is a 10.x.x.x. network which falls inline with the "built in" intermediate hosts but i have added the /24 of my network in there.

any suggestions?

thanks
John

by john.kesoglou 8 years ago
2

so my copy past didn't put all of the information for the issue i am seeing

The related ip is showing my router ip of 10.10.10.1 and the log viewer is not showing the source of the IP. how do i get orf to report the originating ip??


i read a previous post with the same issue which doesnt seem to address the issue

i am running exchange 2013 and have ORF installed on the server where exchange resides. all roles are local to the same machine. mail flows from the outside to the firewall then to the inside host. my network is a 10.x.x.x. network which falls inline with the "built in" intermediate hosts but i have added the /24 of my network in there.

any suggestions?

thanks
John

Reply

by john.kesoglou 8 years ago
3

Hello John,

The IP address recorded in the “Related IP” field of the ORF log should be interpreted as the IP address related to the logged *event*, which is not necessarily the source IP of the incoming email. Unless the event is directly related to an IP-based test, such as the IP blacklist, IP Whitelist or the SPF Test (etc.), the Related IP field will show the IP address of the last delivery hop - in your case, the IP of your router.

That being said, if any of the relaying intranet hosts (e.g. a firewall) strips the "Received:" header fields (i.e. the delivery history) of the incoming emails, then ORF will not be able to determine the actual source IP of the email and it will use - and log - the wrong IP for its tests. In such a case, you have to review the configuration of the problematic filtering agent or relay host and disable any feature that removes this critical information from the message headers.

If you have any additional questions or require further clarification, just let me know.

by Daniel Novak (Vamsoft) 8 years ago
4

@Daniel Novak (Vamsoft): hi and thank you for the response.

how would i know if my firewall is "stripping" out the headers? i simply have a one to one nat in place on my firewall. is there a way to determine by disabling some tests in orf to see if the originating ip shows up?

thanks again
John

by john.kesoglou 8 years ago
(in reply to this post)

5

You would certainly notice it. When an email is sent over the internet (or any network), each relay host adds its own information -- including its IP address -- and a time-stamp to the email's message header as a "Received:" from line, so the email can be traced back to the original sender by analyzing these header lines. ORF automatically whitelists emails that originate from Class A (10.0.0.0 - 10.255.255.255), Class B (172.16.0.0 - 172.31.255.255) and C (192.168.0.0 - 192.168.255.255) private intranet address ranges - and the local host address (127.0.0.1) - thus, if a relay host between your network perimeter and the ORF server were to wipe out the "Received:"header lines (i.e. the list of previous delivery hops), ORF would whitelist every single incoming email, because it would "think" that they were sent from an internal host. If you want to learn how ORF determines the source IP address exactly, please consult the following article: http://vamsoft.com/support/docs/orf-help/5.4/headeranalysis

In Outlook 2016, 2013 and 2010 the message header can be viewed in the email "Properties" dialog, in the "Internet headers" box: https://support.office.com/en-us/article/View-e-mail-message-headers-cd039382-dc6e-4264-ac74-c048563d212c

by Daniel Novak (Vamsoft) 8 years ago
6

@Daniel Novak (Vamsoft): thank you for the information regarding email headers.....

how do i get the ORF product to show me the originating IP? which tests should i disable/enable?

by john.kesoglou 8 years ago
(in reply to this post)

7

I am afraid you cannot force ORF to log the source IP of the email for all of the recorded events. As I mentioned previously, unless the event is directly related to an IP-based test, ORF logs the IP address of the the last delivery hop (i.e. the IP address of the last connecting host) in all cases, except if the IP is strictly related to the event, such as an IP Whitelist, IP Blacklist, DNS Blacklist or Greylisting (etc.) hit. In other words, you are not guaranteed to see the source IP address, except if the email was blacklisted or whitelisted due to the IP address that ORF checked.

by Daniel Novak (Vamsoft) 8 years ago
8

@Daniel Novak (Vamsoft): have you changed this from previous versions? i used to be able to identify specific IP addresses and blacklist them thus creating a better cleaner spam filtration. also used to be able to block countries as well....

by john.kesoglou 8 years ago
(in reply to this post)

9

Also, what if i change my network outside of the "hard coded" intermediate hosts like 5.x.x.x? in theory, i should be able to see all mail traffic coming in.

is there any chance that i can remove the hard coded intermediate host in order to test?

by john.kesoglou 8 years ago
10

@john.kesoglou: No, there has been no change in ORF in this regard. If you want to see the source IP address of the emails, I suggest that you re-deploy ORF on the network perimeter behind a transparent firewall or assign all tests - where applicable - to the On Arrival filtering point only (on the Filtering > Tests page in the ORF Administration Tool). The email header that contains the delivery history (i.e. the Received header lines) - and is used by ORF to determine the source IP address - is available/transmitted at the On Arrival filtering point only. At Before Arrival, ORF will simply use and log(!) the IP address of the connecting host for the IP-based tests, or if the connecting IP is on the Intermediate Host List, it will wait for the header to arrive and test the email at On Arrival.

As for your second question, hard-coded items and features cannot be modified in ORF. Even if you could remove the hard-coded IP ranges from the Intermediate Host List (IHL), it would not change the fact that ORF does not log the IP address of the actual sender for every event - and you would still need to add the IP address of every single relay host that belongs to your organization (private intranet or external) and that relays emails to the ORF server, otherwise ORF would not be able to determine the correct source IP address of the incoming emails. In any case, if ORF is set to filter the incoming emails first (see: http://vamsoft.com/support/docs/knowledge-base/filtering-order-exch2k13), then you should be able to see *all* the incoming mail traffic.

However, if you do not want to see the IP address of any of your hosts that relay emails to ORF, reconfigure them to work in transparent relay mode or as I mentioned before, move ORF to the network perimeter (see: https://vamsoft.com/support/docs/how-tos/deployment-5.4).

by Daniel Novak (Vamsoft) 8 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2