邮件跟踪日志的基础知识教程-浅析邮件日志
简单三步解决企业垃圾邮件难题
邮件跟踪日志的文件格式
要对邮件日志进行分析,首先需要对邮件日志文件的格式了解得非常清楚。下面,我们将以Exchange 2003的日志文件为例,详细解释其格式。(Exchange 2000的日志文件格式和Exchange 2003是相同的。)
实际上,邮件跟踪日志文件是以文本的形式存放在Exchsrvr
317700 How to change the location of the message tracking logs in Exchange 2000 Server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;317700
日志文件的命名格式也相对简单,就以日志生成的日期为名,其格式为YYYYMMDD.log。注意,日志中包含的数据是从格林威治标准时间0:00到23:59发生在该服务器上的邮件记录。因此,对于不在GMT +00时区的服务器而言,日志文件名中的日期和实际我们要查询的日期并非完全匹配。
对于熟悉W3C格式的IIS日志的朋友,邮件跟踪日志对你们来说就不是什么新鲜事了。他们在格式上基本相同。下面我们将打开一个Exchange 2003的邮件跟踪日志文件,来阐述其文件格式。
# Message Tracking Log File
# Exchange System Attendant Version 6.5.7226.0
# Date Time client-ip Client-hostname Partner-Name Server-hostname server-IP Recipient-Address Event-ID MSGID Priority Recipient-Report-Status total-bytes Number-Recipients Origination-Time Encryption service-Version Linked-MSGID Message-Subject Sender-Address
通常我们可以看到文件的头三行以#标识。第一行指明这是一个邮件跟踪日志文件。第二行指明了当前服务器的版本。第三行则是最关键的一行。它给出了当前日志文件的每一条记录所包含的列以及相应的顺序。列名和列名之间以Tab键分隔开。
在文件头之后是两个空行,然后紧接着就是邮件跟踪记录。记录以行为单位,每一行给出了第三行列出的所有列的数据。如果某一列的值不存在,就以”-“代替。列和列之间依然以Tab键分隔。
2007-1-29 12:24:32 GMT - - - TEST01 - /O=TEST GTSC/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=Administrator 1027 E830238C2711FB4BA337AD16A10C626F57CF@TEST01.TEST.GTSC 0 0 2087 3 2007-1-29 12:24:32 GMT 0 - c=US;a= ;p=TEST GTSC;l=TEST01-070129122431Z-1 TEST EMAIL EX:/O=TEST GTSC/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=ADMINISTRATOR -
2007-1-29 12:24:32 GMT - - - TEST01 - /O=TEST GTSC/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=EVANWANG 1027 E830238C2711FB4BA337AD16A10C626F57CF@TEST01.TEST.GTSC 0 0 2087 3 2007-1-29 12:24:32 GMT 0 - c=US;a= ;p=TEST GTSC;l=TEST01-070129122431Z-1 TEST EMAIL EX:/O=TEST GTSC/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=ADMINISTRATOR -
对于每一列的含义,这里作一个简要的说明:
Date | 事件发生的日期 |
Time | 事件发生的时间 |
client-ip | 客户端IP地址 |
Client-hostname | 客户端名字 |
Server-hostname | 当前服务器的名字 |
server-IP | 服务器端IP地址 |
Recipient-Address | 邮件接收人的地址 |
Event-ID | 当前所记录事件的类型 |
MSGID | 当前邮件的标识 |
Priority | 邮件优先级,0为普通 |
total-bytes | 当前邮件的大小 |
Number-Recipients | 当前邮件所有接收人的数目 |
Origination-Time | 邮件发送的时间 |
Encryption | 邮件的加密方式 |
Message-Subject | 邮件标题 |
Sender-Address | 邮件发送人的地址 |
在这些列中,我们需要重点了解其中两列的值所代表的含义:
MSGID作为当前邮件的标识,在邮件存在的整个生命周期中始终保持不变。例如,在上面的两条记录中,MSGID都是E830238C2711FB4BA337AD16A10C626F57CF@TEST01.TEST.GTSC 因此,我们可以利用它来识别邮件是否为同一封邮件。
Event-ID指出了当前所记录事件的类型。邮件从投递到完成发送,需要经历不同的阶段和事件,例如:SMTP: Message Submitted to Categorizer,SMTP: Started Outbound Transfer of Message。对应于每一个事件,我们都有相应的Event-ID。这样才能更真实地跟踪邮件的流向。
这里,我们列出了Exchange 2003服务器上可能遇到的所有事件,以便于你更好地理解跟踪日志的内容。
ID | 具体描述 |
0 | The message was received from a server, connector, or gateway. |
1 | An X.400 Probe was received from a gateway, link, or MTA. |
2 | A delivery receipt or NDR was received from a server, connector,or gateway. |
4 | The message was sent by the client. |
5 | An X.400 Probe was received from a user. |
6 | An X.400 Probe was sent to a gateway, link, or MTA. |
7 | The message was sent to a server,connector, or gateway. |
8 | A delivery receipt or NDR was sent to a server, connector, or gateway. |
9 | The message was delivered to a mailbox or public folder. |
10 | A delivery receipt or NDR was delivered to a mailbox. |
18 | StartAssocByMTSUser |
23 | ReleaseAssocByMTSUse. |
26 | A recipient distribution list was expanded so the message could be sent to different addresses. |
28 | The message was sent to a mailbox other than those of the recipients. |
29 | The message was routed to an alternate path. |
31 | An X.400 message was downgraded to 1984 format prior to relay. |
33 | The number of delivery receipts or NDRs exceeded a threshold, and the reports were deleted. |
34 | A delivery receipt or NDR was created. |
43 | A delivery receipt or NDR could not be routed and was deleted from the queue. |
50 | The Administrator deleted an X.400 message queued for a gateway. |
51 | The Administrator deleted an X.400 probe queued for a gateway. |
52 | The administrator deleted an X.400 report queued for a gateway. |
1000 | The sender and recipient are on the same server. |
1001 | Mail was received from another MAPI system across a connector or gateway. |
1002 | Mail was sent to another MAPI system across a connector or gateway. |
1003 | The message was sent through a gateway. |
1004 | The message was received from a gateway. |
1005 | A delivery receipt or NDR was received from a gateway. |
1006 | A delivery receipt or NDR was sent through a gateway. |
1007 | A gateway generated an NDR for a message. |
1010 | Outbound mail was queued for delivery by the Internet Mail Service. |
1011 | Outbound Outbound mail was transferred to an Internet recipient. |
1012 | Inbound Inbound mail was received from by the Internet Mail Service. |
1013 | Inbound Mail received by the Internet Mail Service was transferred to the Information Store. |
1014 | An Internet message is being rerouted or forwarded to the proper location. |
1015 | A delivery receipt or NDR was received by the Internet Mail Service. |
1016 | A delivery receipt or NDR was sent to the Internet Mail Service. |
1017 | A delivery receipt or NDR was created. |
1018 | The receipt or NDR could not be delivered, and was absorbed. (It is not possible to send an NDR for an NDR.) |
1019 | SMTP: Message Submitted to Advanced Queuing. |
1020 | SMTP: Started Outbound Transfer of Message. |
1021 | SMTP: Message Sent to Badmail |
1022 | SMTP: Advanced Queue Failure |
1023 | SMTP: Message Delivered Locally |
1024 | SMTP: Message Submitted to Categorizer |
1025 | SMTP: Started Message Submission to Advanced Queue |
1026 | SMTP: Advanced Queue Failed to Deliver Message |
1027 | SMTP Store Driver: Message Submitted from Store |
1028 | SMTP Store Driver: Message Delivered Locally to Store |
1029 | SMTP Store Driver Submitted Message to MTA |
1030 | SMTP: Non-Delivered Report (NDR) Generated |
1031 | SMTP: Ending Outbound Transfer |
1032 | SMTP Message Scheduled to Retry Categorization |
1033 | SMTP Message Categorized and Queued for Routing |
1034 | SMTP Message Routed and Queued for Remote Delivery |
1035 | SMTP Message Scheduled to Retry Routing |
1036 | SMTP Message Queued for Local Delivery |
1037 | SMTP Message Scheduled to Retry Local Delivery |
1038 | SMTP Message Routed and Queued for Gateway Delivery |
1039 | SMTP Message deleted by Intelligent Message Filtering |
1040 | SMTP Message rejected by Intelligent Message Filtering |
1041 | SMTP Message archived by Intelligent Message Filtering |
1042 | Message redirected to the alternate recipient |
1043 | Invalid Event Type |
如何分析邮件跟踪日志
对跟踪日志的格式了解之后,分析日志中的数据也就不再是一件难事了。我们可以逐行读入日志记录,对相关数据进行统计。由于篇幅所限,本文只讨论其中的一种统计场景 -- 如何统计邮件发送人及其所发送邮件的数目,并给出相关的示范代码(VBScript编写)以供大家参考。
一封邮件可以经历多个事件,直到它被成功发送。导致的结果是,一封邮件可以对应于与日志中的数条记录。如何有效地区分这些记录,避免重复统计,是我们最先应该考虑的问题。前面我们提到过,MSGID是贯穿邮件生命周期的标识,我们可以利用它来区分不同的邮件。因此,我们基本上的思路是:建立一个集合对象,把MSGID存入其中。当读入一条新记录时,我们会查找该集合对象。如果MSGID已经存在,说明该邮件已经被统计过,我们可以忽略。否则的话,我们将把这个MSGID插入到集合中,并进行统计。
对于统计邮件发送人的情况,我们需要建立另外一个集合,用于存贮每一封邮件的发送人的地址。如果当前发送人地址不在集合中,我们将把这个地址插入集合,并把相应的邮件数量置为初始值1。当我们发现这个邮件发送人的地址已经存在的话,我们就只要把相应邮件数量的值加1。 当完成整个日志文件的分析后,我们的集合对象就能给出想要的统计数据了。
下面是相关的VBScript代码。这个脚本能够分析统计日志文件中发送人的邮件地址,以及他相应发送邮件的数量。把源代码拷贝到一个文本文件中,并以.VBS为扩展名进行命名,例如:ParseLog.vbs。之后,通过以下命令运行脚本。(注:20070109.log是日志文件名。通常还需要提供文件路径。)
CScript ParseLog.VBS 20070109.log
===================代码开始===================
\' 本代码的目的是为了更清楚地解释日志的格式和分析方法。仅供大家参考。
\' 代码中对很多情况未作特殊处理。因此,作者不建议在生产环境中使用它。
\' 如果因不当使用而引起的任何问题,作者不负任何责任。谢谢。
Const conE2kMSGID = 9
Const conSenderaddress = 19
Dim MSGIDArray \' 用于统计MSGID的数组
Dim OriginatorArray \' 用于统计Sender得数组
Dim objFileSystem
Dim strTrackingLogs
Dim objCurrentLog
Dim objKey
Set MSGIDArray = CreateObject("Scripting.Dictionary")
Set OriginatorArray = CreateObject("Scripting.Dictionary")
MSGIDArray.CompareMode = vbTextCompare
OriginatorArray.CompareMode = vbTextCompare
\' 从命令行获取日志文件的路径
strTrackingLogs = ""
If WScript.Arguments.count = 1 Then
strTrackingLogs = WScript.Arguments(0)
Else
WScript.Echo "Invalid Log File pathname!"
End If
Set objFileSystem = CreateObject("Scripting.FileSystemObject")
If objFileSystem.FileExists( strTrackingLogs ) Then
Set objCurrentLog = objFileSystem.OpenTextFile( strTrackingLogs,1, FALSE )
\' 打开日志文件进行分析
ParseTrackingLog( objCurrentLog )
End If
\' 显示统计结果
For Each objKey In OriginatorArray
WScript.Echo CStr(objKey) & ", " & OriginatorArray(objKey)
Next
Sub ParseTrackingLog(byRef objCurrentLog)
\'ON ERROR RESUME NEXT
Dim rgStatusArray, strOriginator
\' 跳过前5行文件头
objCurrentLog.SkipLine
objCurrentLog.SkipLine
objCurrentLog.SkipLine
objCurrentLog.SkipLine
objCurrentLog.SkipLine
Do While objCurrentLog.AtEndOfStream <> TRUE
\' 按行读取列数据到数组里
rgStatusArray = Split(objCurrentLog.ReadLine,Chr(9),-1,vbBinaryCompare)
If UBound(rgStatusArray) = 20 Then
\' 记录MSGID,判断该邮件是否被统计过
If Not MSGIDArray.Exists( rgStatusArray(conE2kMSGID) ) Then
MSGIDArray.Add rgStatusArray(conE2kMSGID),1
strOriginator = rgStatusArray(conSenderaddress)
\' 记录发送人
If Not OriginatorArray.Exists( strOriginator ) Then
OriginatorArray.Add strOriginator, 1
OriginatorArray.Item(strOriginator)=OriginatorArray.Item(strOriginator)+1
End If
End If
End If
Loop
End Sub
===================代码结束===================
| 自由广告区 |
 |
 |
| 分类导航 |
| 邮件新闻资讯: IT业界 | 邮件服务器 | 邮件趣闻 | 移动电邮 电子邮箱 | 反垃圾邮件|邮件客户端|网络安全 行业数据 | 邮件人物 | 网站公告 | 行业法规 网络技术: 邮件原理 | 网络协议 | 网络管理 | 传输介质 线路接入 | 路由接口 | 邮件存储 | 华为3Com CISCO技术 | 网络与服务器硬件 操作系统: Windows 9X | Linux&Uinx | Windows NT Windows Vista | FreeBSD | 其它操作系统 邮件服务器: 程序与开发 | Exchange | Qmail | Postfix Sendmail | MDaemon | Domino | Foxmail KerioMail | JavaMail | Winwebmail |James Merak&VisNetic | CMailServer | WinMail 金笛邮件系统 | 其它 | 反垃圾邮件: 综述| 客户端反垃圾邮件|服务器端反垃圾邮件 邮件客户端软件: Outlook | Foxmail | DreamMail| KooMail The bat | 雷鸟 | Eudora |Becky! |Pegasus IncrediMail |其它 电子邮箱: 个人邮箱 | 企业邮箱 |Gmail 移动电子邮件:服务器 | 客户端 | 技术前沿 邮件网络安全: 软件漏洞 | 安全知识 | 病毒公告 |防火墙 攻防技术 | 病毒查杀| ISA | 数字签名 邮件营销: Email营销 | 网络营销 | 营销技巧 |营销案例 邮件人才:招聘 | 职场 | 培训 | 指南 | 职场 解决方案: 邮件系统|反垃圾邮件 |安全 |移动电邮 |招标 产品评测: 邮件系统 |反垃圾邮件 |邮箱 |安全 |客户端 |