SpamWall Operations Manual

Manual Index

    Getting Started

  1. Quick Start Setup Guide
  2. Setting Up Your MX Records
  3. SpamWall Product Overview
  4. How the SpamWall Works

    SpamWall Control Panel

  1. Overview
  2. Linked Accounts
  3. Email Statistics
  4. Quarantine Summary
  5. System Quarantine
  6. IP/Domain Setup
  7. Mail Log Viewer
  8. Mail Queue Manager
  9. Trusted IPs
  10. System Whitelist
  11. System Blacklist
  12. RBL Blacklists
  13. Spamfilter Config
  14. Manage User Accounts
  15. System Settings

    Advanced Features

  1. Mail Log Reports
  2. Content Filtering
  3. Recipient Verification
  4. Advanced Settings
  5. The SpamWall API
  6. Domain Admin Accounts
  7. Reseller Accounts
  8. Tuning the SpamWall System

    Service and Support

  1. Technical Support FAQs
  2. SpamWall General FAQs
  3. Email Account User Guide
  4. Domain Admin User Guide
  5. Contact Technical Support

Mail Log Viewer

The Mail Log Viewer can be used to monitor email traffic processed by your SpamWall system.

The Mail Log Viewer is available to both the main SpamWall administrator, who has access to view mail log data for all email processed by the system, as well as the Domain Admin account users who have access to view mail log data related only to their own domain.

To access the Mail Log Viewer System select the Mail Log Viewer link in the menu bar.

Mail Log Viewer Menu


When accessed the Mail Log Viewer will initially display the mail logs relating to email activity on your SpamWall system starting at the previous midnight system time up to the moment that you access the system.


Mail Log Viewer Display

On most systems which are actively processing email there will be many pages of email logs available. There will usually be multiple pages of log files for any given day, as many as up to several hundred pages or more if there is significant email activity happening on the system. You can scroll through these pages using the numbered links at the top of the Mail Log Viewer screen or otherwise use one of the available search options.

The "Search" feature allows you to search the log files based on related parameters including "Date", "From", "To", "Subject", "Action", "Score", "Source IP" and "Mail ID" values. You can search for email activity records based on any of these terms by placing the term you are looking for in the search box and selecting the appropriate "Date", "From", "To", "Subject", "Action" etc basis for which you expect to have results displayed.

SpamWall Mail Log Viewer Search 1

To search for email from a given address for example you would place the exact address you are looking for in the search field. If you are uncertain of the exact email address, subject, etc you can perform the search on the basis of partial term.

If searching on the basis of a partial term there is no need to specify any kind of "wild card" character ( * % etc) along with your search parameter. For example if you wanted to search for all of the email from all of the addresses at the domain "example.com" you would enter the search term "example.com" and this will return results of all of the email from any and all address at the "example.com" domain.

Another example is that if you were searching for an email from a friend and this friend usually places something like "From Bob" in the subject line, but sometimes uses "Hi, from Bob" instead so you can't really be sure of the exact subject line. In these sorts of cases you can use the "Bob" partial search term to search all of the subject lines and display records of any and all email messages which contain the term "Bob" in the "Subject" line.

You can also refine your search so that it will return results from various time periods ranging from "Last 5 Minutes" through to "Last 30 Days" by selecting the appropriate time frame from the drop down "period" list or otherwise select and specify any "Custom Period" desired.

SpamWall Mail Log Viewer Search 2

The Mail Log Viewer search functions are very flexible and powerful and can be used to quickly and easily locate records relating to any email activity processed by your SpamWall system.

Depending on the amount of email activity on your SpamWall system and the volume of mail log related data stored on the system it may take as much as 30-60 seconds or more for the data to be processed and displayed by the system either initially on connection to the Mail Log Viewer screen or during other search and display related actions.


The Mail Log Viewer system displays the "Date", "From", "To", "Subject", "Action", "Score", "Source IP" and "Mail ID" related records of email activity on your SpamWall system for any given date range selected. If required, the results can be sorted by clicking on the blue hyperlinks of the column headers.

The "Date" field indicates the date and system time which a given email was received and processed.

The "From" field indicates the email address of the sender (note that this can often be "forged" or "spoofed" in particular where Spam is concerned).

The "To" field indicates what email address the message was addressed to.

The "Subject" line is the subject of the message, of which the first 20 characters is displayed with the entire subject line viewable by hovering the cursor over the text.

The "Action" field specifies what action was taken by your SpamWall system with regards to a given message. This would depend on a number of factors including the Spam Scoring Levels configured on your system.

The "Score" field indicates what Spam Score an email message was assigned. This would be seen only for messages which have made it to the Spam Scanning and Filtering stage if the filtering process, not those which were rejected at the initial connection stage or at the RBL/Blacklist checking stage.

The "Action" field will usually contain a specific reason, "Blacklisted", "Blocked SPAM" etc, why a particular action was taken with respect to the processing of a given email message.

The "Source IP" indicates the IP address of the connecting mail server from which a given message was either received or otherwise blocked for connection control related reasons or otherwise for being contained in either one of the RBL Blacklists configured on your system or the local System Blacklist.

The "Mail ID" is the identifier assigned to messages which have made it to the Spam Scanning and Filtering stage and have either been blocked and sent to the System Quarantine or have been passed and forwarded to their intended recipient and destination email server. If the message as been sent to the quarantine the Mail ID can be used to search for it using the quarantine search function.

For example, if the “Action” associated with a particular email is "Sent" this would indicate that the message was processed by your SpamWall system and was not rejected due to RBL Blacklisting or Connection Control issues and also that it was under the current "Action/Kill" level set in the Spamfilter Config screen (the Spamfilter Config screen is called "My AntiSpam Scoring" for the Domain Admins and individual email server level accounts).

As a result, the message would not have either been blocked entirely or otherwise sent to the Spam Quarantine. The message may have been "Tagged" as "Spam" and delivered to the recipient if it scored over the "Advanced Tag Level" set on your SpamWall system. This will usually be indicated in the "Subject” field with the "[SPAM?]" type subject line.

Otherwise, if under the current "Advanced Tag Level" set on your SpamWall system, the message would likely have been "Passed Clean" and forwarded on to the end user recipient. This would indicate that it was processed by your SpamWall system and determined to be under the current criteria for Spam/UCE and also free of any Virus or other harmful attachments so it was delivered on to the end user recipient as being most likely a legitimate email message.

Other "Action" attributes which can be associated with email are "Blocked SPAM", which means that a given message was scored above the current "Action/Kill" level set on your SpamWall system and therefore was sent to the System Quarantine.

The "Rejected" action reference can be related to a number of Connection Control related actions including the following:

Sender address rejected: Domain not found This means that the domain associated with the sender address of the message was either invalid or not resolving on the Internet for some reason. Sometimes these will be referenced as simply "Domain not found".
Relay access denied This can mean either that a Spammer is attempting to send email to an address at a domain which is not being serviced by your SpamWall, possibly attempting to determine if your SpamWall is an open relay, or otherwise that your SpamWall has not been properly set up in the IP/Domain Setup screen for a domain which has it's MX mapped to the system.
Helo command rejected: Invalid name

This means that the "HELO" command issued by the sending mail server or system was invalid and it would have been issuing a garbled HELO command like "helo=<??????????74>".

Usually this is due to the sender not being a real mail server but rather a "bot" or infected computer of some kind which is malfunctioning or not able to issue proper email server commands.

Improper use of SMTP command pipelining This means that the sending email server or system is not using proper email server protocols and sends SMTP commands ahead of time and where not allowed. This is most likely either a "bot" or some type of "Spamware" or virus infected computer attempting to send Spam.
Recipient address rejected: Domain not found This means that the domain associated with the recipient address of the message was either invalid or not resolving on the Internet for some reason. If the sender address is associated with a domain which is supported on your SpamWall system there may be a DNS issue with this domain.
Sender address rejected: need fully-qualified address

This means that the email address associated with the sender does not contain a valid domain or host name of any kind. Usually this behavior will be seen from bots and infected computers attempting to send Spam. A few examples of sending addresses such as this would be as follows:

from=<@adminemail@>
from=<admin@issip>
from=<thewu32@ukweb1>
from=<root>

The actions detailed above are viewable by hovering your mouse pointer over the "Rejected" reference in the Mail Log Viewer output which will result in the full rejection response being displayed.

SpamWall Mail Log Viewer Rejected

One "Action" attribute you will likely see associated with a considerable number of mail log records is the "Blacklisted" attribute. This means that the message was blocked entirely by your SpamWall as a result of either the IP address, domain or email address that was associated with the message being contained in one of active RBL Blacklists on your system. Otherwise, the IP Address, domain or email address associated with the blacklisted message may have been in the local System Blacklist.

If a message has been rejected due to the sending mail server IP address being in one of the active RBL Blacklists on your system you can hover your mouse pointer over the "Blacklisted" reference in the entry and this will show the blacklist which the message was rejected due to being in.

SpamWall Mail Log Viewer Blacklist Check

You can then click on the link if desired and it will take you to a page which will provide more information on the blacklisting as well as further links and information concerning why the IP was listed and how to carry out a delisting if applicable.

In the case of "Blacklisted" messages there will be no "Subject" line recorded and the "Score" will empty as the message connection is dropped entirely by the SpamWall system before any processing occurs.

The "Score" field indicates what "Spam Score" a given message was allocated by your SpamWall system during processing. This "score" would be a reflection of the "Spam Score" associated with a given email message processed by the system as detailed in the Spamfilter Config section of the documentation.

The "IP address" field indicates the IP address of the connecting mail server from which a given message was either received or blocked for being contained in either one of the RBL Blacklists or the local System Blacklist.

If you notice a significant number of unwanted emails being received from a particular IP address, domain or email address which you would prefer not to receive and which for some reason are not already being blocked by your SpamWall system, you can select the associated entry in the Mail Log Viewer system and add this to the System Blacklist.

SpamWall Mail Log Viewer Add Blacklist

Likewise, messages from legitimate or desired senders which have been blocked by the system and sent to the quarantine or tagged with the "[SPAM?]" type subject tag due to scoring over the set scoring levels can be added to the System Whitelist in the same manner.

Note that email addresses and domains added to the whitelist from the Mail Log Viewer screen will be added to the System Whitelist and IP addresses will be added to the Trusted IPs.

For the Domain Admin users additions of email addresses from the Mail Log Viewer will be added to the users own local whitelist or blacklist however additions of entire domains or IP addresses will be sent as an email request to the main SpamWall admin for addition to the System Blacklist or Whitelist or Trusted IP list at the discretion of the admin.

Log files are stored on your SpamWall system for up to 90 days by default although this storage period can alternatively be changed to 7, 14, 21, 30, 60 or 120 days by the SpamWall admin in the Mail Log Storage Period section of the System Settings screen.

 

next topic Mail Queue Manager