Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 701 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Two e-mails with the same smtpd ID?

eganders_01
Two entirely different e-mails with the same smtpd ID?  Can that be correct?  (Emphasis and identity changes made)

2009:05:21-09:26:20 firewall smtpd[25988]: SCANNER[25988]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="64.***.***.***" from="johnqpublic@company.com" to="joe@lawfirm.com" subject="Re: Our New Website" queueid="10UyNc-0006l6-0T" size="48472"

2009:05:21-09:26:33 firewall smtpd[25988]: SCANNER[25988]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="75.***.***.***" from="annsmith@atty.com" to="joe@lawfirm.com" subject="RE: Settlement Agreement and Confidentiality Letter" queueid="10BsQz-0006lH-1w" size="15989"


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to BAlfson
    Got a call from an assistant to the recipient end user that the sender received a bounce today, and started looking in the logs for traffic involving that sender.

    After you've identified an instance, one way to isolate and view all the traffic involved in that particular e-mail transaction is to use the ID as your search criteria.  It enables you to see the whole of a transaction "en masse".  A lot easier than parsing through separate lines.

    Anyway, after doing so, I came across the items I posted.  I haven't previously studied a lot at smtpd traffic, but then, I haven't noticed two with the same tag before either.  Particularly since a bounce occurred and I haven't found any other reason for it to have happened.  Maybe it's legit and it queues them up as one transaction?  I don't know.

    Any ideas?
  • 0 in reply to eganders_01
    I don't know how all that works.   Is it possible that atty.com and company.com have email hosted by the same provider?
  • 0 in reply to BAlfson
    I believe that is the process id .... the queue id later in the logs shows that they are identified as separate emails to Exim.

    ETA: I could be wrong; but I do seem to recall seeing that happen before on my system with no ill effects.