Print Page | Close Window

Log examples

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
Printed Date: 06 February 2025 at 12:08pm

Topic: Log examples
Posted By: Guests
Subject: Log examples
Date Posted: 26 March 2003 at 12:00am

I would like to know more infroamtion about the log files. What do the numbers between the (XXX) mean, I would like to be able it show what rule the email was rejected by

thanks for any input. HAVE A GREAT DAY !

Posted By: LogSat
Date Posted: 26 March 2003 at 12:00am

In SpamFilter all incoming and outgoing connections are multi-threaded. This means that each email that is received or that is sent is handled by a separate thread. The number in parenthesis (xxx) indicates what the thread with that ThreadID is currently doing.

All log entries are timestamped for when the event took place, and indicate the ID of the thread doing the work at that moment. When an incoming connection is detected, a new thread is spawned to process the incoming connection requests. Once the email msg is received from the remote server, the file is ASCII-queued to a temp file in the queue directory, along with a separate file containing the recipients for the email. At this point the thread terminates and a new thread is spawned that takes care of delivering the email to your destination mail server.

A complete email reception/fwding process would look similar to the following:

02/28/03 00:53:25:449 -- (2212) Connection from: - Originating country : N/A 02/28/03 00:53:25:630 -- (2212) Resolving - Not found 02/28/03 00:53:25:630 -- (2212) Mail from: 02/28/03 00:53:25:930 -- (2212) MAPS search done... . 02/28/03 00:53:25:930 -- (2212) RCPT TO: accepted 02/28/03 00:53:25:990 -- (2212) EMail from to was queued. 02/28/03 00:53:25:990 -- (2212) Disconnect 02/28/03 00:53:26:000 -- (2280) Sending email from to 02/28/03 00:53:27:693 -- (2280) EMail from to was forwarded to

Ini the log you should always find the reason of why an email was rejected or quarantined. Look for the line that says "will be quarantined" or "will be disconnected". The line just above that will indicate the last test that failed (Note that you may have to skip a few lines if other emails were received at the same time, that is where looking at the Thread ID becomes handy). Following are some reject samples from our logs:

03/25/03 00:00:56:110 -- (313) - MAPS search done... 521 The IP is Blacklisted by . 03/25/03 00:00:56:110 -- (313) - Mail from: To: will be quarantined


03/25/03 00:01:04:872 -- (73) Resolving - Not found 03/25/03 00:01:04:872 -- (73) - Reverse DNS not found - 03/25/03 00:01:04:872 -- (73) - Mail from: To: will be quarantined


03/25/03 00:05:29:423 -- (264) RCPT TO: ohfudge@NETWIDE.NET accepted 03/25/03 00:05:29:573 -- (264) Found Keywords: [mortgage,click here] 03/25/03 00:05:29:573 -- (264) EMail from atlasrewards@FUNMAILOFFERS.COM to ohfudge@NETWIDE.NET matches content filter rules - rejected. 03/25/03 00:05:29:633 -- (264) EMail from atlasrewards@FUNMAILOFFERS.COM to ohfudge@NETWIDE.NET was received and quarantined. Size: 5 KB

Hope this helps!

Roberto Franceschetti LogSat Software

Posted By: Guests
Date Posted: 26 March 2003 at 12:00am

Very well explained, but I have am example I would like you to look at I would like to know the reason the mail was quarantined.

03/26/03 10:09:07:689 -701 Connection from: - Originating country : United States 03/26/03 10:09:07:769 -701 Resolving - Not found 03/26/03 10:09:07:769 -701 Mail from: 03/26/03 10:09:08:100 -701 - MAPS search done... . 03/26/03 10:09:08:100 -701 Mail from: To: - will be quarantined 03/26/03 10:09:08:260 -701 EMail from to was received and quarantined. 03/26/03 10:09:09:011 -701 Mail from: 03/26/03 10:09:09:011 -701 Mail from: To: - will be quarantined 03/26/03 10:09:09:121 -701 EMail from to was received and quarantined. 03/26/03 10:09:11:725 -701 Disconnect thanks you for any help.

Posted By: LogSat
Date Posted: 26 March 2003 at 12:00am


We received your ini and logfiles. In SpamFilter you have configured your "Local Domains" with just one entry,

This means that SpamFilter will only accept and deliver email addressed to SpamFilter cannot be used to relay mail anywhere else.

In you log we noticeed several times entries that showed your users ( trying to send email to outside domains (ex. That won't work...

Don't forget that SpamFilter is designed to handle excusively incoming email. It is not supposed to be used by your internal users as their outgoing SMTP server. You users should still use your existing SMTP mail as their outgoing SMTP server to relay email to the outside.

Hope this helps!


Posted By: Guests
Date Posted: 26 March 2003 at 12:00am

I have setup the Spam filter to lison on port25 , and change my smpt server to port 26, would i need to change the configuration on the clients email software to point to port 26 ?

Posted By: LogSat
Date Posted: 26 March 2003 at 12:00am


Please take a look at the thread titled "Relay settings" in this forum, as it is very similar to your situation.

The answer to your question would be a "yes", but we recommend going a different route as indicated in the other postings.

Roberto F. LogSat Software

Posted By: Guests
Date Posted: 26 March 2003 at 12:00am


Great Product!!, Thanks You for the support, If the port change works, I will be registering your product.

Posted By: LogSat
Date Posted: 26 March 2003 at 12:00am

Now I see why you asked... That leaves us puzzled as well!

If can you please email to us at a copy of your spamfilter.ini and the logfile in question we'll try to take a better look. The reject reason should indeed have been logged.


Posted By: Guests
Date Posted: 26 March 2003 at 12:00am


Is the "" domain (or the * wildcard) included in your Local Domains list -- the domains that you accept for mail relaying on your system? If NOT, then this may explain this log sequence.

We have seen this same sequence of log entries on our server when SpamFilter rejects a message based on anti-relay -- the recipient's domain is not listed in the Local Domains list -- and quarantining is enabled.

As for the duplication of certain lines in the log entry... it appears in our logs from time to time as well, but again, the only time we see this duplication is on anti-relay rejections.

Hope this is helpful in some way.


Print Page | Close Window