Simple Mail Transfer Protocol (SMTP) Servers
Most e-mail is sent using the Simple Mail Transfer Protocol (SMTP). In some investigations, SMTP servers, also called Mail Transport Agents (MTAs), provide an important source of evidence. We are not referring to an e-mail itself, but rather the logs generated by servers that handle e-mail. For example, if you detect that one of your users received a phishing e-mail, how can you determine if it was sent to anyone else? In enterprises that span the globe, local laws and policy may prevent you from searching everyone’s e-mail boxes. In addition, you may have numerous servers with terabytes of data—the search could take days. SMTP servers that maintain logs—ideally in a central location—can help you quickly answer that question.CAUTION: You may wonder why we don’t go into e-mail storage and retrieval topics in this chapter—or in the book. Not only are enterprise e-mail systems complex, but there are many legal and policy issues associated with accessing someone’s e-mail. It’s best for a responder to consult with e-mail administrators and legal council, at a minimum, before attempting to access e-mail content as part of an investigation. There’s likely an established procedure you need to follow.
Next, we’d like to provide a brief explanation of how e-mail is transferred. An end user’s e-mail client submits an e-mail to a local SMTP server, and that server takes care of handing the e-mail so that it makes its way to its final destination. The path the e-mail takes may involve passing through other e-mail servers, or it may be delivered directly to the destination server. By default, SMTP servers listen for connections on TCP port 25. Once the e-mail is at the destination server, the recipient’s e-mail client will indicate there is a new e-mail. Of course, there are many details we glossed over, but that is a basic description of how e-mail flows. If you are interested in reading more about SMTP, you can check out RFC 5321:
Each server that handles an e-mail may create a log entry that records e-mail metadata and the server’s disposition. Logging is enabled by default on popular SMTP servers, so in most cases this information is available for you to use. Exactly what questions you can use those logs to answer depends on what the logs contain. We’ll talk more on that in a moment. Here are some common questions we use e-mail server logs to answer:
- Who sent or received an e-mail This is normally based on metadata details, such as the date and time, size, subject, sender, or recipient. We perform this search to answer questions such as the one we asked earlier—who received a phishing e-mail? Was it forwarded to anyone else?
- All e-mail sent to or from a user This broadens the search related to a specific user. If evidence suggests an account was compromised, or sustained malicious activity occurred, it might be useful to see a complete summary of all e-mail sent to or from a user.
- All e-mail sent to or from another SMTP server In the case of phishing campaigns, where attackers send many e-mails over a sustained period of time, you may be able to identify SMTP servers they are using. You can perform a search for those servers in the logs, in an attempt to uncover additional malicious activity.
Because e-mail server logs only contain metadata about e-mail, there are many similar fields across different e-mail server solutions. Some of the more common SMTP servers we encounter are Postfix, Sendmail, and Microsoft Exchange. Each of those servers, by default, logs the following information about every e-mail it handles:
- Date and time received or sent
- Unique local identifier
- IP address or hostname of source and destination e-mail servers
- E-mail address of the sender and receiver
- E-mail size
Additional fields are logged by default on some servers, such as the e-mail subject field on Microsoft Exchange. The Sendmail and Postfix logging configuration can be customized to also include the e-mail subject in log files. Each e-mail server has extensive additional features, including further enhancements to logging, which are outside of the scope of this book. The following links are to the documentation each product provides:
For the common SMTP servers we mentioned earlier, we’re going to discuss where logs are located and provide sample log entries. The logs for all three servers are stored in plain text by default, so you can use standard text utilities to view and process them.
Let’s get started with looking at the Postfix server.
Postfix is a popular SMTP server that is commonly deployed on Unix or Linux-based servers. Postfix directs its logging to the local syslog server through the syslog protocol. Syslog handles the log messages according to its configuration. On some systems, the default mail-related log is /var/log/maillog or /var/log/mail.log. However, because the file path and name varies widely between different operating systems, you should always examine the local syslog configuration to determine the path of the log. Three common syslog servers and their associated configuration files or paths are:
- Syslog The default configuration file is /etc/syslog.conf.
- Syslog-ng The default configuration file is /etc/syslog-ng/syslog-ng.conf.
- Rsyslog The default configuration file is /etc/rsyslogd.conf, with additional configuration files in the directory /etc/rsyslog.d.
The filenames and paths for syslog configuration files may vary. You should consult with the system administrator if you have difficulty locating the configuration file.
The following log entries are the result of a fictitious e-mail from firstname.lastname@example.org to email@example.com:
Feb 3 01:01:12 util-ubuntu postfix/smtpd: connect from unknown[172.20.63.1] Feb 3 01:01:12 util-ubuntu postfix/smtpd: 307DF802B3: client=unknown[172.20.63.1] Feb 3 01:01:12 util-ubuntu postfix/cleanup: 307DF802B3: message-id=<> Feb 3 01:01:12 util-ubuntu postfix/qmgr: 307DF802B3: from=<firstname.lastname@example.org>, size=446, nrcpt=1 (queue active) Feb 3 01:01:12 util-ubuntu postfix/smtpd: disconnect from unknown[172.20.63.1] Feb 3 01:01:14 util-ubuntu postfix/smtp: 307DF802B3: to=<email@example.com>, relay=mail.evil.example[10.14.168.11]:587, delay=2, delays=0.06/0.07/0.77/1.1, dsn=2.0.0, status=sent (250 ok 1391410861 qp 14129 by xmail01.evil.example) Feb 3 01:01:14 util-ubuntu postfix/qmgr: 307DF802B3: removed
In this case, the e-mail client connected from an IP address of 172.20.63.1, and submitted a 446-byte message. Postfix then discovered an appropriate destination e-mail server (in this case, xmail01.evil.example) and successfully submitted the message. Because syslog log files are normally in plain text, you can use any text-processing tool, such as grep, to search for items of interest.
Sendmail, like Postfix, is a commonly found on Unix and Linux-based systems. Sendmail directs its logging to the local syslog service, so the same conditions and issues related to Postfix syslog logging also apply to Sendmail. The following are two sample log entries from Sendmail:
Feb 20 14:03:13 mail sendmail: s1KJ39AQ014274: from=<firstname.lastname@example.org>, size=7779, class=-30, nrcpts=1, msgid=<COL0-MC3-F3967350980D9E82EBFC23CF9A0@phx.gbl>, proto=ESMTP, daemon=MTA, relay=mail.evil.example [10.14.168.11] Feb 20 14:03:16 mail sendmail: s1KJ39AQ014274: to=<email@example.com>, delay=00:00:04, xdelay=00:00:03, mailer=local, pri=91965, dsn=2.0.0, stat=Sent
In this case, an e-mail was received from firstname.lastname@example.org, from the host mail.evil.example, and was delivered to email@example.com on the local server.
Microsoft Exchange records log data equivalent to Postfix and Sendmail. The logs are called Message Tracking logs, and they are enabled by default. If you find that message tracking logs are not present, you can check to see if they are enabled in the Exchange admin center, under Servers | Edit | Transport Logs.
Similar to Microsoft IIS, the message-tracking logs are in WC3 format, with informational lines at the beginning of the log, followed by actual log events. For Exchange 2013, the message-tracking logs are in the directory %ExchangeInstallPath%\TransportRoles\Logs\MessageTracking, and the files are named MSGTRK<yyyymmdd>-<n>.log, where <yyyymmdd> is the four-digit year and two-digit month and day of month. The <n> is an instance number that is incremented as needed during log rollover. Additional information about message-tracking log files is available at the following link:
The following log entries are an excerpt from an Exchange 2013 server:
#Software: Microsoft Exchange Server #Version: 15.00.0516.025 #Log-type: Message Tracking Log #Date: 2014-02-21T00:09:24.131Z #Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data 2014-02-21T01:38:46.806Z,10.0.2.15,WIN-13C1F1N1KA5.test.org,10.0.2.15,WIN-13C1F1N1KA5,08D0FCBA635FB9AF;2014-02-21T01:38:46.447Z;0,WIN-13C1F1N1KA5\Default WIN-13C1F1N1KA5,SMTP,RECEIVE,21474836514,<7d3c619a-1e64-4600-a2be-c96055aa3612@WIN-13C1F1N1KA5.test.org>,4300205ec92949755aa208d0fcbccbf2,Administrator@test.org,,1356,1,,,,firstname.lastname@example.org,email@example.com,0cA: ,Undefined,,192.168.200.154,192.168.200.155,S:FirstForestHop=WIN-13C1F1N1KA5.test.org;S:ProxiedClientIPAddress=192.168.200.154;S:ProxiedClientHostname=me;S:ProxyHop1=WIN-13C1F1N1KA5.test.org(192.168.200.155)
In this example, an e-mail client at the IP address 192.168.200.154 connected to the server at IP address 192.168.200.155 and submitted a message from firstname.lastname@example.org to the local account Administrator@test.org.