IMail Server 8.01 User's Guide

Appendix E. Anti-Spam Log Messages

Connection Filtering

Normal Log Messages Explanation

BLACKLIST:message_source was found on list (name:server:query_domain)->returned text The connecting agent sending the message has been found on the specified black list. message_source: This is the information that was sent to the black list server as the source of the message. returned_text: Sometimes the black list server will return text explaining why a message source is black listed.

BLACKLIST:failed to connect to service (name:server:query_domain) If the black list is configured to use UDP, this means that the initial UDP query sent to the black list server and all retries timed out. If the black list is configured to use TCP, this means that the connection to the server failed.

VALIDATION: (HELO) domain FAILED to receive response from DNS server for HELO domain helo_argument HELO validation searches for an MX or an A record for the domain passed in the HELO command by the connecting SMTP agent. The queried DNS server failed to respond to the query. helo_argument: The domain passed as the argument to the HELO command by the connecting SMTP agent.

VALIDATION: (HELO) no HELO sent The connecting SMTP agent failed to send the HELO or EHLO command.

VALIDATION: (HELO) helo_argument domain failed active validation No MX or A record exists for the domain passed in the HELO or EHLO command. helo_argument: The domain passed in the HELO command by the connecting SMTP agent.

VALIDATION: (MAIL FROM) domain FAILED to resolve MX/A record for mail server mail_from_argument An MX or an A record could not be found for the sender's mail server. This is a failure since we need the IP address to connect to the mail server and validate the user. mail_from_argument: The e-mail address passed in the MAIL FROM command.

VALIDATION: (MAIL FROM) domain FAILED to connect to remote_mail_server A connection to the SMTP server for the user passed in the MAIL FROM command was attempted, but the connection failed. This means the server name was successfully converted to an IP address, but no server exists at the address or it is not running. remote_mail_server: The sender's mail server according to the MAIL FROM command.

VALIDATION: (MAIL FROM) domain FAILED to communicate with server remote_mail server A connection was made to the remote SMTP server to validate the user, but the connection was terminated or failed. remote_mail_server: The sender's mail server, according to the MAIL FROM command.

VALIDATION (MAIL FROM) no MAIL FROM sent No MAIL FROM command was sent by the connecting SMTP agent.

VALIDATION:(MAIL FROM) <remote_user> user does not exist on remote system The user passed in the MAIL FROM command does not exist on the remote server. This is only logged if a successful conversation has taken place and the user is not a valid user on the remote SMTP server. remote_user: The user passed in the MAIL FROM command.

VALIDATION: (MAIL FROM) domain FAILED SMTP server error: mail_server_error The SMTP server connected to, returned an error prior to validation of the user. The SMTP error is included in the log message. mail_server_error: The SMTP server error returned by the remote SMTP server.

VALIDATION: (REVDNS) connecting_agent address does not have a valid MX or A record, message rejected The connecting SMTP agent does not have a valid MX or A record. connecting_agent: The IP address of the connecting SMTP agent.

VALIDATION: (REVDNS) domain FAILED to receive reply from DNS server A query was made to the DNS server for the mail server and no response was retuned. This does not mean that no MX or A record exists for the connecting SMTP agent, just that the DNS server did not respond to queries.

VALIDATION: (REVDNS) domain FAILED reverse DNS validation for address (connecting_agent) The mail server's DNS server returned a reply to the query for an MX or an A record for the connecting SMTP agent. However, there was no MX or A record. connecting_agent: The IP address of the connecting SMTP agent.

message failed check<check_name> which was marked as trusted, deleting A trusted black list entry failed its check. The message is immediately deleted. check_name: The display name of the blacklist.

message failed failed_checks of total_checks checks, deleting Connection filtering is set to delete messages after a specific number of checks have failed (including active validation checks). This number has been reached and the message will be deleted. failed_checks: The number of checks that failed for the message, including active validation checks. total_checks: The total number of checks configured for the host, including active validation checks.

Verbose Log Messages Explanation

BLACKLIST:connecting to service(name:server:query_domain) This is logged just prior to querying a black list server.

BLACKLIST:retrying service (name:server:query_domain) This black list uses UDP, so it may not respond in a timely manner. This is logged if a query times out and must be retried.

BLACKLIST:message_source was not found on list (name:server:query_domain) The connecting agent has not been found on the specified black list. message_source: This is the information that was sent to the blacklist server as the source of the message.

BLACKLIST:received a reply from service (name:server:query_domain) The queried black list returned a reply. This does not mean that the message source was blacklisted, just that the query was successful.

VALIDATION: (HELO) domain performing DNS lookup for HELO domain helo_argument This message is logged prior to performing HELO validation. helo_argument:The domain passed by the connecting SMTP agent.

VALIDATION: (HELO) domain received reply from DNS server for HELO domain helo_argument HELO validation found an MX or an A record for the domain passed in the HELO command by the connecting SMTP agent. This does not mean that the domain has an MX or an A record, just that the DNS server sent a response to the query. helo_argument: The domain passed in the HELO command by the connecting SMTP agent.

VALIDATION: (MAIL FROM) domain validating MAIL FROM address mail_from_argument This message is logged prior to performing MAIL FROM validization. mail_from_argument: The e-mail address passed in the MAIL FROM command.

validation: (mail from) domain SUCEEDED for user mail_from_argument. The user passed in the MAIL FROM command exists on the remote SMTP server. mail_from_argument: The e-mail address passed in the MAIL FROM command.

VALIDATION: (REVDNS) domain performing reverse dns lookup on address connecting_agent This message is logged prior to performing a reverse DNS validation. connecting_agent: The IP address of the connecting SMTP agent.

VALIDATION: (REVDNS) domain reverse DNS validation SUCEEDED for address (connecting agent) The DNS server for the mail server returned an MX or A record for the connecting SMTP agent. connecting_agent: The IP address of the connecting SMTP agent.

ADMIN: reloading connection filtering settings for domain:DOMAIN Connection filtering settings for the specified domain have changed and are being reloaded. Only changes in IAdmin or web messaging cause a reload. Hand editing of files is ignored until SMTPD is restarted.

ADMIN: finished reloading connection filtering settings for domain: domain Connection filtering settings for the specified domain have changed and have been reloaded. Only changes in IAdmin or web messaging cause a reload. Hand editing of files is ignored until SMTPD is restarted.

Content Filtering

Normal Log Messages Explanation

No good/spam email in Antispam Table for host<host>. Statistical Filtering Disabled The host's antispam-table.txt does not contain any words from good or spam e-mail. Statistical filtering is therefore disabled.

No Content Filtering Host Information for the Phrase Filter There is no content filtering host information for the phrase filter. As a result, no phrase filtering was done.

No Content Filtering Host information for the HTML Filter There is no content filtering host information for the HTML filter. As a result, no HTML filtering was done.

matched phrase[<matched phrase>] The specified phrase was found in the e-mail.

matched HTML features [<matched features>] The specified HTML features were found in the email.

matched URL domain[<matched URL domain>] The specified URL domain was found in the email.

Probability email is spam<email probability>:email is spam An e-mail has been identified as spam. Also includes its calculated probability.

Probability email is spam<email probability>: email is good An e-mail has been identified as good. Also includes what its calculated probability is.

Error:unable to open body file<body file name> The body file indicated cannot be opened.

Unable to find AntiSpam Host Information for <host> The specified host's white list and/or content filtering were not found.

[<email address/domain>] in white list The sender's address or domain was found in the white list. As a result, no content filtering was done.

Verbose Log Messages Explanation

Phrase Filtering enabled for<host> Phrase filtering is enabled for the host.

Phrase Filtering disabled for <host> Phrase filtering is disabled for the host.

Phrase Filtering initialized for <host> Phrase filtering was successfully initialized for the host.

Statistical Filtering disabled for <host> Statistical filtering is disabled for the host.

Statistical Filtering enabled for <host> Statistical filtering is enabled for the host.

Phrase filtering is disabled or there are no phrases to match Either phrase filtering is disabled or the phrase list is empty.

HTML filtering is disabled for [<host>] HTML filtering is disabled for the specified host.

searching for phrases An e-mail is being searched for phrases from the phrase list.

statistical filtering disabled Either statistical filtering is disabled, or there is no content filtering host information.

performing statistical analysis An e-mail is being statistically analyzed.

The following words were used to compute the probability email is spam The statistical analysis of an e-mail is done. The most interesting words used (if any) in the analysis follows.

word=<word>, probability=<word hash> An interesting word and its corresponding probability. It is possible for an e-mail not to have any interesting words. In which case, the calculated probability is 0.5.

[<excluded word>] in exclude list The specified word was found in the exclude list and will be excluded from statistical analysis.

Added White List, Content Filtering, and HTML Filtering for <host> The white list, content filtering, and HTML filtering for the host have been added to the anti-spam engine.

Notified <host> about updating the HTML Filter. The anti-spam engine has been notified about the specified host's HTML Filtering changes.

Notified <host> about updated white list The anti-spam engine has been notified about the host's content filtering changes.

Notified <host> about updating the Content Filter. The anti-spam engine has been notified of the specified host's Content Filtering changes.

Got updated White List, Content Filtering, and HTML Filtering for <host> The anti-spam engine successfully updated the white list, content filtering, and HTML filtering for the host.

Got updated White List for <host> The anti-spam engine successfully updated the white list for the host.

Got updated Content Filtering for <host> The anti-spam engine successfully updated the content filtering for the host.

Got White List, Content Filtering, and HTML Filtering for <host> The anti-spam engine successfully updated the white list and content filtering for the host.

Created and Initialized Content Filtering for <host> The anti-spam engine successfully created and initialized content filtering for the host.

Created and Initialized White List for <host>. The anti-spam engine successfully created and initialized the white list for the host.

Added Anti-Spam Host Information for <Hostname> The anti-spam engine successfully added anti-spam host information for the specified host.

Matched Invalid Tag feature [<invalid tag>] The e-mail contained the following invalid tag.

Matched Nested Table feature [<table tag>] The e-mail contained a Nested Table with the specified table tag.

Matched Image Tag feature [<image tag>] The e-mail contained the following image tag.

Matched Deceptive URL feature [<deceptive URL>] The e-mail contained the following deceptive URL.

Matched Hyperlink feature [<anchor tag>] The e-mail contained a Hyperlink with the following anchor tag.

Matched Hyperlink feature [<a>] The e-mail contained a hyperlink with the following <a> tag.

Matched Script Tag feature [<script tag>] The e-mail contained the following script tag.

Matched Embedded Comment feature [<embedded comment>] The e-mail contained the following embedded comment. Only 255 characters of the comment are displayed.

***Connection Filtering***
Normal Log Messages	Explanation
BLACKLIST:message_source was found on list (name:server:query_domain)->returned text	The connecting agent sending the message has been found on the specified black list. message_source: This is the information that was sent to the black list server as the source of the message. returned_text: Sometimes the black list server will return text explaining why a message source is black listed.
BLACKLIST:failed to connect to service (name:server:query_domain)	If the black list is configured to use UDP, this means that the initial UDP query sent to the black list server and all retries timed out. If the black list is configured to use TCP, this means that the connection to the server failed.
VALIDATION: (HELO) domain FAILED to receive response from DNS server for HELO domain helo_argument	HELO validation searches for an MX or an A record for the domain passed in the HELO command by the connecting SMTP agent. The queried DNS server failed to respond to the query. helo_argument: The domain passed as the argument to the HELO command by the connecting SMTP agent.
VALIDATION: (HELO) no HELO sent	The connecting SMTP agent failed to send the HELO or EHLO command.
VALIDATION: (HELO) helo_argument domain failed active validation	No MX or A record exists for the domain passed in the HELO or EHLO command. helo_argument: The domain passed in the HELO command by the connecting SMTP agent.
VALIDATION: (MAIL FROM) domain FAILED to resolve MX/A record for mail server mail_from_argument	An MX or an A record could not be found for the sender's mail server. This is a failure since we need the IP address to connect to the mail server and validate the user. mail_from_argument: The e-mail address passed in the MAIL FROM command.
VALIDATION: (MAIL FROM) domain FAILED to connect to remote_mail_server	A connection to the SMTP server for the user passed in the MAIL FROM command was attempted, but the connection failed. This means the server name was successfully converted to an IP address, but no server exists at the address or it is not running. remote_mail_server: The sender's mail server according to the MAIL FROM command.
VALIDATION: (MAIL FROM) domain FAILED to communicate with server remote_mail server	A connection was made to the remote SMTP server to validate the user, but the connection was terminated or failed. remote_mail_server: The sender's mail server, according to the MAIL FROM command.
VALIDATION (MAIL FROM) no MAIL FROM sent	No MAIL FROM command was sent by the connecting SMTP agent.
VALIDATION:(MAIL FROM) <remote_user> user does not exist on remote system	The user passed in the MAIL FROM command does not exist on the remote server. This is only logged if a successful conversation has taken place and the user is not a valid user on the remote SMTP server. remote_user: The user passed in the MAIL FROM command.
VALIDATION: (MAIL FROM) domain FAILED SMTP server error: mail_server_error	The SMTP server connected to, returned an error prior to validation of the user. The SMTP error is included in the log message. mail_server_error: The SMTP server error returned by the remote SMTP server.
VALIDATION: (REVDNS) connecting_agent address does not have a valid MX or A record, message rejected	The connecting SMTP agent does not have a valid MX or A record. connecting_agent: The IP address of the connecting SMTP agent.
VALIDATION: (REVDNS) domain FAILED to receive reply from DNS server	A query was made to the DNS server for the mail server and no response was retuned. This does not mean that no MX or A record exists for the connecting SMTP agent, just that the DNS server did not respond to queries.
VALIDATION: (REVDNS) domain FAILED reverse DNS validation for address (connecting_agent)	The mail server's DNS server returned a reply to the query for an MX or an A record for the connecting SMTP agent. However, there was no MX or A record. connecting_agent: The IP address of the connecting SMTP agent.
message failed check<check_name> which was marked as trusted, deleting	A trusted black list entry failed its check. The message is immediately deleted. check_name: The display name of the blacklist.
message failed failed_checks of total_checks checks, deleting	Connection filtering is set to delete messages after a specific number of checks have failed (including active validation checks). This number has been reached and the message will be deleted. failed_checks: The number of checks that failed for the message, including active validation checks. total_checks: The total number of checks configured for the host, including active validation checks.
Verbose Log Messages	Explanation
BLACKLIST:connecting to service(name:server:query_domain)	This is logged just prior to querying a black list server.
BLACKLIST:retrying service (name:server:query_domain)	This black list uses UDP, so it may not respond in a timely manner. This is logged if a query times out and must be retried.
BLACKLIST:message_source was not found on list (name:server:query_domain)	The connecting agent has not been found on the specified black list. message_source: This is the information that was sent to the blacklist server as the source of the message.
BLACKLIST:received a reply from service (name:server:query_domain)	The queried black list returned a reply. This does not mean that the message source was blacklisted, just that the query was successful.
VALIDATION: (HELO) domain performing DNS lookup for HELO domain helo_argument	This message is logged prior to performing HELO validation. helo_argument:The domain passed by the connecting SMTP agent.
VALIDATION: (HELO) domain received reply from DNS server for HELO domain helo_argument	HELO validation found an MX or an A record for the domain passed in the HELO command by the connecting SMTP agent. This does not mean that the domain has an MX or an A record, just that the DNS server sent a response to the query. helo_argument: The domain passed in the HELO command by the connecting SMTP agent.
VALIDATION: (MAIL FROM) domain validating MAIL FROM address mail_from_argument	This message is logged prior to performing MAIL FROM validization. mail_from_argument: The e-mail address passed in the MAIL FROM command.
validation: (mail from) domain SUCEEDED for user mail_from_argument.	The user passed in the MAIL FROM command exists on the remote SMTP server. mail_from_argument: The e-mail address passed in the MAIL FROM command.
VALIDATION: (REVDNS) domain performing reverse dns lookup on address connecting_agent	This message is logged prior to performing a reverse DNS validation. connecting_agent: The IP address of the connecting SMTP agent.
VALIDATION: (REVDNS) domain reverse DNS validation SUCEEDED for address (connecting agent)	The DNS server for the mail server returned an MX or A record for the connecting SMTP agent. connecting_agent: The IP address of the connecting SMTP agent.
ADMIN: reloading connection filtering settings for domain:DOMAIN	Connection filtering settings for the specified domain have changed and are being reloaded. Only changes in IAdmin or web messaging cause a reload. Hand editing of files is ignored until SMTPD is restarted.
ADMIN: finished reloading connection filtering settings for domain: domain	Connection filtering settings for the specified domain have changed and have been reloaded. Only changes in IAdmin or web messaging cause a reload. Hand editing of files is ignored until SMTPD is restarted.

***Content Filtering***
Normal Log Messages	Explanation
No good/spam email in Antispam Table for host<host>. Statistical Filtering Disabled	The host's antispam-table.txt does not contain any words from good or spam e-mail. Statistical filtering is therefore disabled.
No Content Filtering Host Information for the Phrase Filter	There is no content filtering host information for the phrase filter. As a result, no phrase filtering was done.
No Content Filtering Host information for the HTML Filter	There is no content filtering host information for the HTML filter. As a result, no HTML filtering was done.
matched phrase[<matched phrase>]	The specified phrase was found in the e-mail.
matched HTML features [<matched features>]	The specified HTML features were found in the email.
matched URL domain[<matched URL domain>]	The specified URL domain was found in the email.
Probability email is spam<email probability>:email is spam	An e-mail has been identified as spam. Also includes its calculated probability.
Probability email is spam<email probability>: email is good	An e-mail has been identified as good. Also includes what its calculated probability is.
Error:unable to open body file<body file name>	The body file indicated cannot be opened.
Unable to find AntiSpam Host Information for <host>	The specified host's white list and/or content filtering were not found.
[<email address/domain>] in white list	The sender's address or domain was found in the white list. As a result, no content filtering was done.
Verbose Log Messages	Explanation
Phrase Filtering enabled for<host>	Phrase filtering is enabled for the host.
Phrase Filtering disabled for <host>	Phrase filtering is disabled for the host.
Phrase Filtering initialized for <host>	Phrase filtering was successfully initialized for the host.
Statistical Filtering disabled for <host>	Statistical filtering is disabled for the host.
Statistical Filtering enabled for <host>	Statistical filtering is enabled for the host.
Phrase filtering is disabled or there are no phrases to match	Either phrase filtering is disabled or the phrase list is empty.
HTML filtering is disabled for [<host>]	HTML filtering is disabled for the specified host.
searching for phrases	An e-mail is being searched for phrases from the phrase list.
statistical filtering disabled	Either statistical filtering is disabled, or there is no content filtering host information.
performing statistical analysis	An e-mail is being statistically analyzed.
The following words were used to compute the probability email is spam	The statistical analysis of an e-mail is done. The most interesting words used (if any) in the analysis follows.
word=<word>, probability=<word hash>	An interesting word and its corresponding probability. It is possible for an e-mail not to have any interesting words. In which case, the calculated probability is 0.5.
[<excluded word>] in exclude list	The specified word was found in the exclude list and will be excluded from statistical analysis.
Added White List, Content Filtering, and HTML Filtering for <host>	The white list, content filtering, and HTML filtering for the host have been added to the anti-spam engine.
Notified <host> about updating the HTML Filter.	The anti-spam engine has been notified about the specified host's HTML Filtering changes.
Notified <host> about updated white list	The anti-spam engine has been notified about the host's content filtering changes.
Notified <host> about updating the Content Filter.	The anti-spam engine has been notified of the specified host's Content Filtering changes.
Got updated White List, Content Filtering, and HTML Filtering for <host>	The anti-spam engine successfully updated the white list, content filtering, and HTML filtering for the host.
Got updated White List for <host>	The anti-spam engine successfully updated the white list for the host.
Got updated Content Filtering for <host>	The anti-spam engine successfully updated the content filtering for the host.
Got White List, Content Filtering, and HTML Filtering for <host>	The anti-spam engine successfully updated the white list and content filtering for the host.
Created and Initialized Content Filtering for <host>	The anti-spam engine successfully created and initialized content filtering for the host.
Created and Initialized White List for <host>.	The anti-spam engine successfully created and initialized the white list for the host.
Added Anti-Spam Host Information for <Hostname>	The anti-spam engine successfully added anti-spam host information for the specified host.
Matched Invalid Tag feature [<invalid tag>]	The e-mail contained the following invalid tag.
Matched Nested Table feature [<table tag>]	The e-mail contained a Nested Table with the specified table tag.
Matched Image Tag feature [<image tag>]	The e-mail contained the following image tag.
Matched Deceptive URL feature [<deceptive URL>]	The e-mail contained the following deceptive URL.
Matched Hyperlink feature [<anchor tag>]	The e-mail contained a Hyperlink with the following anchor tag.
Matched Hyperlink feature [<a>]	The e-mail contained a hyperlink with the following <a> tag.
Matched Script Tag feature [<script tag>]	The e-mail contained the following script tag.
Matched Embedded Comment feature [<embedded comment>]	The e-mail contained the following embedded comment. Only 255 characters of the comment are displayed.

Ipswitch, Inc.
http://www.ipswitch.com


©Ipswitch 2001