cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1978
Views
0
Helpful
10
Replies

spamtowho_418: Where can I get some explanations?

Pat_ironport
Level 1
Level 1

The spamtowho_418.exe-tool creates nice reports.
Unfortunately, I can't explain/comprehend all the values. :oops: Is there a source where I can get more informations about 'Costliness', 'Rewrite Agents' and many other sections and terms?

Has someone already "decrypted" such a report?

10 Replies 10

Costliness is really talking about CPU cost, in the sense of which message took the longest to process. Typically most costly messages are also the largest, however I'm sure that if the message is zipped three + times it will start adding to the cost of the processing.

With regards to the Rewrite Agent I'm not sure if I've seen that entry before. Could you forward a scrubbed example of what that section of the report looks like?

Sincerely,

Jay Bivens
IronPort Systems

Pat_ironport
Level 1
Level 1

You can find "Rewrite Agent" between "Recipients" and "SBRS"

Recipients

Average # per connection (all) 1.07626344214087
Average # per connection (successful) 1.15692883546402
Average # per message 1.15521857974302
Bounced by LDAPACCEPT (workqueue) xxx
received yyy
sent zzz

Rewrite Agents

antivirus 36

SBRS
I can't reproduce the number 36 in this section. Could someone explain it :?:

And sorry for asking again: Is there a source where I can read about the other sections? For example, I have a value
VOF

Messages which were too big for scanning (res will be negative) 6,733
What does VOF mean? Was this 6,733 messages "too big for scanning" for anti-virus and/or anti-spam? And where can I adjust it? What are the negative impacts?

What does VOF mean? 


VOF stands for Virus Outbreak Filter and its an IronPort module just like your antivirus or your antispam. Its another layer.

For more info, refer to Virus Outbreak Filter.

Pat_ironport
Level 1
Level 1

Thank you for this information! Do you know any other source for "translating" the spamtowho_418-reports?

Hi,

unfortunately the very only thing i have is a document called "spamtowho_418_NOTES.txt" that came along with the binaries.

are u interested? it doesnt add much info, but...

Pat_ironport
Level 1
Level 1

I already have this 8kb-File with 152 lines, ending with the name "Tomki".

Is he/she still working for IronPort? Maybe he would be a source for some answers. :roll:

tcamp_ironport
Level 1
Level 1

'Costliness' is relevant to the size of the message and the number of recipients it was sent to. Here is an example entry:


Size From #rcpts Time
4585474 bob@stardust.com 1 Mon May 21 16:55:11 2007


'Rewrite Agents' section simply lists the different reasons that a message was rewritten to a new MID in the mail logs.
Reasons for this to occur are recipient alteration, footer-stamping, attachment stripping, and others I don't recall offhand.

I think message splitting can cause a MID change too

And just for a note of clarity "tcamp" is Tomki. So he would be authoritative on the spamtowho utility, of course it looks like all the reasons for Rewrite Agent are escaping him.

I took a look and it seems that Rewrite Agent looks for MIDs with a ICID of 0 to determine if the message was Rewritten. You should be able to perform a 'grep -e "ICID 0" mail_logs' in order to be able to see the actual events that are hitting that classification.

Take a look and provide feedback on whether you found any messages with an ICID of 0.

Sincerely,

Jay Bivens
IronPort Systems

tcamp_ironport
Level 1
Level 1

Incrementations in the 'Rewrite Agents' section are caused simply by actions that state (in the logs) that the message is rewritten.
Examples from the code comments (logfuncs.pl):

Tue Jan  6 15:03:18 2004 Info: MID 2 rewritten to 3 by antispam
#Tue Apr 5 17:34:20 2005 Info: MID 35381452 rewritten to 35381453 by antivirus
#3.8.0:
#Fri May 14 20:44:43 2004 Info: MID 6 rewritten to 7 by alt-rcpt-to-filter filter 'testfilt'
#Tue May 3 06:07:03 2005 Info: MID 424576592 rewritten to 424576594 by antivirus(unsafe alt-rcpt-to) filter 'unknown'
#Thu Aug 17 00:55:23 2006 Info: MID 1 rewritten to MID 2 by antispam (alt-rcpt-to) filter 'unknown'
#Info: MID 386736 rewritten to MID 386737 by add-footer filter 'Footer Stamping'
#Info: MID 419747 rewritten to MID 419761 by drop-attachments-by-filetype filter 'Block_Attachments'

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: