Page 1 of 1

What do each of the fields in a log entry represent?

Posted: Tue Oct 07, 2014 11:45 am
by magicspam
Let's say that you are looking at the following log entry (we have placed the entry on a couple lines to make the entry a little more readable):

Code: Select all

2009-04-08 09:18:17 magicspam-postfix[20425]: SPAM[block_lists:35]: 
    mua=0,
    ip=[1.2.3.4:host4.sendersdomain.com],
    helo=<host.sendersdomain.com>,
    from=<sender@sendersdomain.com>,
    rcpt=<user@recipientsdomain.com>
Below is a list of what each fields represents:

Date: 2009-04-30 09:18:17
Process Identifier: magicspam-postfix[20425]:
Spam Protection Result: SPAM
Spam Protection rule triggered: [block_lists:35]
"Mail User Agent" (mua) flag: 0
Sending mail server IP address: 1.2.3.4
Reverse DNS entry for IP address: host4.sendersdomain.com
Mail server identification (HELO): host.sendersdomain.com
Sender's email address: sender@sendersdomain.com
Recipient's email address: user@recipientsdomain.com

Each log entry represents a single recipient for each message; if there are multiple recipients for each message, each recipient would have their own log entry. This permits individual spam settings to be observed in the logs.

Below are a few more notes about some of the fields.

Process Identifier
This is the name of the process generating the log entry. The number in square brackets (20425) is the the process ID (PID) for that process.

Spam Protection Result
This field can have several different values:
  • SPAM - The message has triggered an enabled rule or blocklist and is now marked as being spam. The message to the specified recipient will be dropped.
  • HAM - The message did not trigger any enabled rules or blocklists. The message will be delivered normally.
Below are the values you will see if a message triggers one of the whitelist or exemption entries. These messages will be delivered normally, even if a spam rule is triggered:
  • FROM_WHITELIST - The message was sent from an email address listed in the MagicSpam from whitelist.
  • RCPT_EXEMPT - The message was sent to a recipient who is currently exempt from MagicSpam protection.
  • IP_EXEMPT - The message was sent from a mail server listed in the MagicSpam IP exemption list.
MagicSpam Protection rule triggered
This field will represent the rule which the message triggered to mark the message as spam. Values for this field may be:
  • block_ip_in_addr
  • check_dynamic_reverse_dns
  • check_ip_reverse_dns
  • check_reverse_dns_list
  • resolve_helo_domain
  • require_full_addr
  • require_helo
  • valid_from_addr
  • valid_helo_domain
For more information on each of these rules, please see the "Best Practices Rules" page in your MagicSpam Administration interface.

There is also another (special) rule which can be triggered: block_lists. This rule will be triggered if the connecting IP address is listed on any of the block lists which are currently enabled. If this occurs, the block list's ID will be printed after the "block_list" keyword. The block list ID's are also listed in the "Block Lists" page in the MagicSpam Administrative Interface for your reference.

"Mail User Agent" (mua) flag
If the SMTP connection is using authentication, then the Mail User Agent flag will be set to 1. Otherwise, it will be set to 0. This allows us to determine whether the connection is coming from a remote server, or from one of the servers authorized clients.