exim rejectlog with log snippets and new ideas, (was: Re: exim log analysis)

Thu Aug 25 12:33:58 CEST 2005

Hey,

Joost Wrote:
> Do timestamped lines alternate with header chunks always?  If not,
this
> logfile is likely not machine-parsable...  Or does the last line of a
> header chunk have some special token?  Could you give a more complete
> example of what's in exim's reject-log?

Here's a nice sized chunk of the log, containing examples of an entire
header dump and multiple sequential timestamped entries.

2005-04-28 16:26:05 H=joyce.mailtrx.com (discounttrx.com) [63.123.x.x]
I=[193.108.x.x]:25 sender verify defer for <chal at discounttrx.com>: host
lookup did not complete
2005-04-28 16:26:05 H=joyce.mailtrx.com (discounttrx.com) [63.123.x.x]
I=[193.108.x.x]:25 F=<chal at discounttrx.com> temporarily rejected RCPT
<xxxxxx at xxxxxx.co.uk>: Could not complete sender verify
2005-04-28 16:47:35 1DRBEe-0005VG-3T H=(jhaweb.com) [61.107.x.x]
I=[193.108.x.x]:25 F=<nfarris_qe at elet.com> rejected after DATA: This
email has been classified as spam (score: 12.4)
Envelope-from: <nfarris_qe at elet.com>
Envelope-to: <xxxx at xxxxxx.co.uk>
P Received: from [61.107.x.x] (helo=jhaweb.com)
	by xxxxx.xxxxx.com with esmtp (Exim 4.44)
	id 1DRBEe-0005VG-3T
	for xxxxx at xxxxxxxx.co.uk; Thu, 28 Apr 2005 16:47:29 +0100
I Message-ID: <OFMIEHxxxxxxxxxJFDFNKJGGAA.nfarris_qe at elet.com>
F From: "Noemi P. Farris" <nfarris_qe at elet.com>
T To: xxxxxxxx at xxxxxxxxxx.co.uk
  Subject: Offering Refinances at low rates
  Date: Thu, 28 Apr 2005 14:50:07 +0000
  MIME-Version: 1.0
  Content-Type: text/html
  Content-Transfer-Encoding: base64
  Received-SPF: none (xxxxx: 61.107.x.x is neither permitted nor denied
by domain of elet.com) client-ip=61.107.x.x;
envelope-from=nfarris_qe at elet.com; helo=jhaweb.com;
  X-Spam-Score: 12.4 (++++++++++++)
  X-Spam-Report: Spam=Yes, Hits=12.4 Required=5.0 autolearn=no
Version=3.0.2
	*  0.0 HTML_30_40 BODY: Message is 30% to 40% HTML
	*  0.0 HTML_MESSAGE BODY: HTML included in message
	*  2.1 BAYES_80 BODY: Bayesian spam probability is 80 to 95%
	*      [score: 0.8180]
	*  0.2 MIME_HTML_ONLY BODY: Message only has text/html MIME
parts
	*  0.3 MIME_BASE64_TEXT RAW: Message text disguised using base64
encoding
	*  3.1 RCVD_IN_XBL RBL: Received via a relay in Spamhaus XBL
	*      [61.107.x.x listed in sbl-xbl.spamhaus.org]
	*  1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
	*      [URIs: percentssaveem.net]
	*  1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL
blocklist
	*      [URIs: percentssaveem.net]
	*  4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL
blocklist
	*      [URIs: percentssaveem.net]
	DCC: 
	Pyzor: Reported 0 times.
  X-Spam-Subject: [Possible Spam] Offering Refinances at low rates
2005-04-28 17:07:33 1DRBXc-0005Vq-HO H=m42-mp1.cvx1-a.xxxxx.ntli.net
(xxxxx.co.uk) [62.252.x.x] I=[193.108.x.x]:25 F=<training at difuria.co.uk>
rejected after DATA: Virus/Trojan detected in this email
(Worm.SomeFool.P)

The last line i pasted was the beggining of the next blocked email
which has a header just like the one above. Every header ends
with "X-spam-Subject: blahblahblah" or
     "Received-SPF: none" or "neutral"

But surely that isnt too much of a problem as every new email is
signified by the
2005-04-28 16:47:35 1DRBEe-0005VG-3T H=(jhaweb.com) [61.107.x.x]
I=[193.108.x.x]:25 F=<nfarris_qe at elet.com> rejected after DATA: This
email has been classified as spam (score: 12.4)
entry?

If you want i can upload a much bigger chunk of log?

Tom

-- 
To UNSUBSCRIBE, email to questions-request at logreport.org with a subject of 
"unsubscribe". Trouble? Send an email with subject "help" to 
questions-request at logreport.org