spamtowho_418: Where can I get some explanations?

Unanswered Question
Jun 9th, 2007

The spamtowho_418.exe-tool creates nice reports.
Unfortunately, I can't explain/comprehend all the values. :oops: Is there a source where I can get more informations about 'Costliness', 'Rewrite Agents' and many other sections and terms?

Has someone already "decrypted" such a report?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jbivens_ironport Mon, 06/11/2007 - 19:25

Costliness is really talking about CPU cost, in the sense of which message took the longest to process. Typically most costly messages are also the largest, however I'm sure that if the message is zipped three + times it will start adding to the cost of the processing.

With regards to the Rewrite Agent I'm not sure if I've seen that entry before. Could you forward a scrubbed example of what that section of the report looks like?


Jay Bivens
IronPort Systems

Pat_ironport Tue, 06/12/2007 - 18:15

You can find "Rewrite Agent" between "Recipients" and "SBRS"


Average # per connection (all) 1.07626344214087
Average # per connection (successful) 1.15692883546402
Average # per message 1.15521857974302
Bounced by LDAPACCEPT (workqueue) xxx
received yyy
sent zzz

Rewrite Agents

antivirus 36

I can't reproduce the number 36 in this section. Could someone explain it :?:

And sorry for asking again: Is there a source where I can read about the other sections? For example, I have a value

Messages which were too big for scanning (res will be negative) 6,733
What does VOF mean? Was this 6,733 messages "too big for scanning" for anti-virus and/or anti-spam? And where can I adjust it? What are the negative impacts?
Pat_ironport Wed, 06/13/2007 - 15:05

Thank you for this information! Do you know any other source for "translating" the spamtowho_418-reports?

lucas.castro_ir... Thu, 06/14/2007 - 19:07


unfortunately the very only thing i have is a document called "spamtowho_418_NOTES.txt" that came along with the binaries.

are u interested? it doesnt add much info, but...

Pat_ironport Thu, 06/14/2007 - 19:34

I already have this 8kb-File with 152 lines, ending with the name "Tomki".

Is he/she still working for IronPort? Maybe he would be a source for some answers. :roll:

tcamp_ironport Tue, 06/19/2007 - 22:06

'Costliness' is relevant to the size of the message and the number of recipients it was sent to. Here is an example entry:

Size From #rcpts Time
4585474 [email protected] 1 Mon May 21 16:55:11 2007

'Rewrite Agents' section simply lists the different reasons that a message was rewritten to a new MID in the mail logs.
Reasons for this to occur are recipient alteration, footer-stamping, attachment stripping, and others I don't recall offhand.
jbivens_ironport Thu, 06/21/2007 - 14:30

And just for a note of clarity "tcamp" is Tomki. So he would be authoritative on the spamtowho utility, of course it looks like all the reasons for Rewrite Agent are escaping him.

I took a look and it seems that Rewrite Agent looks for MIDs with a ICID of 0 to determine if the message was Rewritten. You should be able to perform a 'grep -e "ICID 0" mail_logs' in order to be able to see the actual events that are hitting that classification.

Take a look and provide feedback on whether you found any messages with an ICID of 0.


Jay Bivens
IronPort Systems

tcamp_ironport Thu, 06/21/2007 - 22:29

Incrementations in the 'Rewrite Agents' section are caused simply by actions that state (in the logs) that the message is rewritten.
Examples from the code comments (

Tue Jan  6 15:03:18 2004 Info: MID 2 rewritten to 3 by antispam
#Tue Apr 5 17:34:20 2005 Info: MID 35381452 rewritten to 35381453 by antivirus
#Fri May 14 20:44:43 2004 Info: MID 6 rewritten to 7 by alt-rcpt-to-filter filter 'testfilt'
#Tue May 3 06:07:03 2005 Info: MID 424576592 rewritten to 424576594 by antivirus(unsafe alt-rcpt-to) filter 'unknown'
#Thu Aug 17 00:55:23 2006 Info: MID 1 rewritten to MID 2 by antispam (alt-rcpt-to) filter 'unknown'
#Info: MID 386736 rewritten to MID 386737 by add-footer filter 'Footer Stamping'
#Info: MID 419747 rewritten to MID 419761 by drop-attachments-by-filetype filter 'Block_Attachments'


This Discussion