Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Log file format
  FAQ FAQ  Forum Search   Register Register  Login Login

Log file format

 Post Reply Post Reply
Author
stupid48 View Drop Down
Newbie
Newbie


Joined: 13 August 2008
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote stupid48 Quote  Post ReplyReply Direct Link To This Post Topic: Log file format
    Posted: 13 August 2008 at 1:34pm
Hi there,
 
We have been a long time user of your product.  In order for us to allow our helpdesk to search for failed incoming e-mails, I wrote an asp.net application that allows them to search the logs based on a date and an e-mail address.  I noticed that one of the rejected e-mail failure reasons (EmailTO is not in AuthorizedTOEmail list) has a different result at the end of the failure.  Most of the time, a failure ends in the log with either "will be rejected" or "will be disconnected".  These are the phrases that I use to key on in my program.  The failure noted above does not really have a failure notice.  It just ends in "disconnect".  Would it be possible to end this type of failure in the same way that the other failures do?  Maybe in the next version???
 
Here is the log section I am talking about...
 
08/13/08 00:02:37:310 -- (2932) Connection from: 66.xx.xx.205  -  Originating country : United States
08/13/08 00:02:37:435 -- (2932) Received MAIL FROM: administrator@xxxx.xx
08/13/08 00:02:37:450 -- (2932) Received RCPT TO: ckli@xxxxx.gov
08/13/08 00:02:37:466 -- (2932) - EmailTO is not in AuthorizedTOEmail list...
08/13/08 00:02:37:497 -- (2932) Resolving 66.xx.xx.205 - mail.xxxxx.com
08/13/08 00:02:37:700 -- (2932) found SPF record for xxxx.xx: v=spf1 ip4:66.xx.xx.192/27 a mx -all
08/13/08 00:02:37:700 -- (2932) SPF query result: pass
08/13/08 00:02:37:700 -- (2932) - SPF analysis for xxxx.xx done: - pass
08/13/08 00:02:37:700 -- (2932) Mail from: administrator@xxxx.xx
08/13/08 00:02:37:857 -- (2932) - MAPS search done...
08/13/08 00:02:37:857 -- (2932) RCPT TO: ckli@xxxxx.gov accepted
08/13/08 00:02:37:919 -- (2932) Disconnect
 
So what I am looking for is to change "disconnect" to:
 
Mail from: administrator@xxxx.xx To: ckli@xxxxx.gov will be rejected
 
It would be great for us if that could be done, pretty please....
 
Thanks, Chris
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 17 August 2008 at 10:16pm
The behavior on what happens when an email is not in Authorized TO whitelist is dictated by a parameter in the SpamFilter.ini file (DisconnectOnNonAuthorizedTO). Depending on this value connections can be immediately disconnected when an email address is not in that list, or the rejection will be postponed till later. Partly due to this reason, the rejection message was made different than the other cases several years ago when this list was implemented. Since then, there have been several products and customers who have been parsing SpamFilter's logs for reports, and for this reason we are *very* hesitant in changing existing logging syntax in order to prevent problems in anyone who is relying on the current specific format in their reports.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
stupid48 View Drop Down
Newbie
Newbie


Joined: 13 August 2008
Status: Offline
Points: 2
Post Options Post Options   Thanks (0) Thanks(0)   Quote stupid48 Quote  Post ReplyReply Direct Link To This Post Posted: 28 August 2008 at 9:03pm
Thanks for the quick response.  I understand what you are saying.  I set the entry, DisconnectOnNonAuthorizedTO to TRUE and now I get the full "will be disconnected" log entry.  Now, since you have an .ini entry for notauthorizedto to display the disconnected line, could we get some more options for some of the other reasons to get rejected?  For example, the "detected blank HTML email with specified attachment" reason.  It also just displays:
 
08/28/08 14:41:36:282 -- (5272) Detected blank HTML email with specified attachment
08/28/08 14:41:36:344 -- (5272) Blacklist cache - Added 198.190.190.99 to limbo
08/28/08 14:41:36:547 -- (5272) SFDB - Added 198.190.190.99 - Response: Error=0
08/28/08 14:41:36:547 -- (5272) Disconnect
 
Again, it would be nice if we could set a toggle in the .ini similar to the DisconnectOnNonAuthorizedTO option for blank email....
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.112 seconds.