Display journal QZMF and look for QTSMTPSRVP jobs. There will be a
lot of QTSMTPSRVP entries and you will have to look in a lot of them for the
IP address.  The entry should end with sometime like this: LIN TO SRVR
191.174.01.01


Guy Murphy
murphyfa@xxxxxxxx
UADIS at the University of Illinois
217-333-8670
http://www.heisercoaching.com

-----Original Message-----
From: Douglas Handy [mailto:dhandy1@xxxxxxxxxxxxx]
Sent: Wednesday, May 14, 2003 3:57 PM
To: MIDRANGE-L@xxxxxxxxxxxx
Subject: Tracking source of outbound SMTP messages


When using the SMTP server in V5R1, how can you trace the source of the
mail?

I have a client infected by the Fizzer virus earlier this week.  They
updated
the virus definitions and cleaned each PC where they were aware it occured.
But
there is still a lot of outbound mail happening, or so it seems.

Using NETSTAT *CNN, there are a few copies (typically 4) where the remote
address is their ISP's mail server, the remote port is smtp, and the
outbound
byte counts just keep rising.  But they can't figure out which PC(s) may be
the
culprit.  The ones they knew were previously infected now test clean (per
vendor
tool reports anyway).

Scrolling through the NETSTAT *CNN lists, none of the local PC's show up
with
smtp as the local port.  Relay is blocked via Ops Navigator configuration.

How can I find the IP address of the machine(s) sending the mail?

I tried CHGSMTPA to turn on journaling, but QUSRSYS/QZMF doesn't seem to
tell me
much either.

They are normally a real low volume mail environment, so the built-in SMTP
server has been sufficient for them.  But it doesn't keep logs (that I can
find), and they can't figure out what PC(s) might still be infected.

Any advice?

Doug

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.