Postfix
Overview
Postfix is a free and open-source mail transfer agent that routes and delivers electronic mail.
- Vendor: Postfix
- Supported environment: On Premise
- Version compatibility:
- Detection based on: Telemetry
- Supported application or feature: Email gateway, Mail server
Configure
As of now, the main solution to collect Postfix logs leverages the Rsyslog recipe. Please share your experiences with other recipes by editing this documentation.
Rsyslog
Please refer to the documentation of Postfix to forward events to your rsyslog server. The reader can consult the Rsyslog Transport documentation to forward these logs to Sekoia.io.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30
2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215
11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)
3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)
77EFFC0015: warning: header Content-Disposition: inline; filename="image003.jpg"; size=26055;??creation-date="Thu, 12 Sep 2019 12:39:01 GMT";??modification-date="Thu, 12 Sep 2019 12:40:01 GMT" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>
3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>
2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279
B4B613F8B7: warning: header Content-Disposition: inline; filename="image001.png"; size=8879;??creation-date="Thu, 14 Mar 2024 10:19:00 GMT";??modification-date="Thu, 14 Mar 2024 10:19:00 GMT" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>
707A12000A: warning: header Content-Disposition: attachment;??filename="?iso-8859-2?q?representative_on_migration.pdf?="; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>
486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]
8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)
53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137
EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148
dns: new_dns_packet: domain is utf8 flagged: ns1.example.org
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)
476295F5AD: message-id=<aaaaaaaaaa=@pm.me>
123456789: message-id=<foo@corp.com>
NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294
NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299
Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net
action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com
E43D43F838: uid=117 from=<no-reply@example.org>
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN> Reject action: 550 5.7.23 210
Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23
Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>
None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>
Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23
prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131
None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128
Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120
Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23
7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)
01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587
023069605C: Used TLS for smtp.example.org[163.172.55.8]:25
NOQUEUE: client=unknown[10.100.0.3]
warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)
0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)
proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>
D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25
581B85F5B3: warning: header Content-Disposition: inline; filename=""image018.png""; size=162328;??creation-date=""Thu, 11 Apr 2024 07:53:08 GMT"";??modification-date=""Thu, 11 Apr 2024 07:53:08 GMT"" from local; from=<jdoe@example.org> to=<jane.doe@example.com>
59B835F5AD: warning: header Content-Disposition: attachment;??filename=""=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>
EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>
000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE
008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE
action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
whitelisted: mx.example.org[1.2.3.4/32]
whitelisted: unknown[1.2.3.4/32]
89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)
074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)
CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257
56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)
95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
2F46A140256: replace: header From: "Example Help" <help@example.org: From: [help@example.org](mailto:help@example.org)
warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)
30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)
connect to mx.example.org[5.6.7.8]:25: No route to host
connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125
96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))
021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>
lost connection after BDAT from mx.example.org[192.168.100.124]
warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known
warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org
lost connection after AUTH from unknown[1.1.1.1]
connect from unknown[10.1.1.1] 88
Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled
spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5
spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118
spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117
spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118
spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118
spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117
spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30
2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215
11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)
3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)
77EFFC0015: warning: header Content-Disposition: inline; filename="image003.jpg"; size=26055;??creation-date="Thu, 12 Sep 2019 12:39:01 GMT";??modification-date="Thu, 12 Sep 2019 12:40:01 GMT" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>
3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>
2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279
B4B613F8B7: warning: header Content-Disposition: inline; filename="image001.png"; size=8879;??creation-date="Thu, 14 Mar 2024 10:19:00 GMT";??modification-date="Thu, 14 Mar 2024 10:19:00 GMT" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>
707A12000A: warning: header Content-Disposition: attachment;??filename="?iso-8859-2?q?representative_on_migration.pdf?="; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>
486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]
8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4
53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)
53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93
disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137
EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148
dns: new_dns_packet: domain is utf8 flagged: ns1.example.org
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)
476295F5AD: message-id=<aaaaaaaaaa=@pm.me>
123456789: message-id=<foo@corp.com>
NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294
NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299
Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)
action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net
action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com
E43D43F838: uid=117 from=<no-reply@example.org>
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN> Reject action: 550 5.7.23 210
Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23
Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>
None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>
Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23
prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>
Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>
Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131
None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128
Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120
Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23
Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23
7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)
01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587
023069605C: Used TLS for smtp.example.org[163.172.55.8]:25
NOQUEUE: client=unknown[10.100.0.3]
warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)
0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)
proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>
D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25
581B85F5B3: warning: header Content-Disposition: inline; filename=""image018.png""; size=162328;??creation-date=""Thu, 11 Apr 2024 07:53:08 GMT"";??modification-date=""Thu, 11 Apr 2024 07:53:08 GMT"" from local; from=<jdoe@example.org> to=<jane.doe@example.com>
59B835F5AD: warning: header Content-Disposition: attachment;??filename=""=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>
EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>
000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE
008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE
action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com
whitelisted: mx.example.org[1.2.3.4/32]
whitelisted: unknown[1.2.3.4/32]
89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)
074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)
CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257
56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)
95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)
2F46A140256: replace: header From: "Example Help" <help@example.org: From: [help@example.org](mailto:help@example.org)
warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure
175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)
1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)
7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)
05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)
30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)
connect to mx.example.org[5.6.7.8]:25: No route to host
connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125
96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))
021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>
lost connection after BDAT from mx.example.org[192.168.100.124]
warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known
warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org
lost connection after AUTH from unknown[1.1.1.1]
connect from unknown[10.1.1.1] 88
Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256
Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled
spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5
spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5
spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118
spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117
spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118
spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118
spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117
spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Postfix. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Postfix on ATT&CK Navigator
Advanced IP Scanner
Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups.
- Effort: master
Burp Suite Tool Detected
Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner).
- Effort: intermediate
Certify Or Certipy
Detects the use of certify and certipy which are two different tools used to enumerate and abuse Active Directory Certificate Services.
- Effort: advanced
Cobalt Strike Default Beacons Names
Detects the default names of Cobalt Strike beacons / payloads.
- Effort: intermediate
Correlation Potential DNS Tunnel
Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.
- Effort: advanced
Credential Dump Tools Related Files
Detects processes or file names related to credential dumping tools and the dropped files they generate by default.
- Effort: advanced
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
EvilProxy Phishing Domain
Detects subdomains potentially generated by the EvilProxy adversary-in-the-middle phishing platform. Inspect the other subdomains of the domain to identify the landing page, and determine if the user submitted credentials. This rule has a small percentage of false positives on legitimate domains.
- Effort: intermediate
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
HackTools Suspicious Names
Quick-win rule to detect the default process names or file names of several HackTools.
- Effort: elementary
Login Brute-Force Successful On SentinelOne EDR Management Console
A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login.
- Effort: master
PasswordDump SecurityXploded Tool
Detects the execution of the PasswordDump SecurityXploded Tool
- Effort: elementary
Potential DNS Tunnel
Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels.
- Effort: advanced
RSA SecurID Failed Authentification
Detects many failed attempts to authenticate followed by a successfull login for a super admin account.
- Effort: advanced
RTLO Character
Detects RTLO (Right-To-Left character) in file and process names.
- Effort: elementary
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
Remote Monitoring and Management Software - AnyDesk
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool AnyDesk.
- Effort: master
Remote Monitoring and Management Software - Atera
Detect artifacts related to the installation or execution of the Remote Monitoring and Management tool Atera.
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
Suspicious Email Attachment Received
Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware.
- Effort: elementary
Suspicious File Name
Detects suspicious file name possibly linked to malicious tool.
- Effort: advanced
Suspicious PROCEXP152.sys File Created In Tmp
Detects the creation of the PROCEXP152.sys file in the application-data local temporary folder. This driver is used by Sysinternals Process Explorer but also by KDU (https://github.com/hfiref0x/KDU) or Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU. Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it.
- Effort: advanced
Suspicious TOR Gateway
Detects suspicious TOR gateways. Gateways are often used by the victim to pay and decrypt the encrypted files without installing TOR. Tor intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: advanced
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
Telegram Bot API Request
Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind
- Effort: advanced
WCE wceaux.dll Creation
Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed.
- Effort: intermediate
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
Email gateway |
Postfix logs many details on every handled message |
Mail server |
Postfix logs many details on every handled message |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | `` |
Category | email |
Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/anvil"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"admin@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/error"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"USER@sub.corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
]
}
}
{
"message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "bounced",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "exemple.com",
"domain": "exemple.com",
"registered_domain": "exemple.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"john.doe@exemple.com"
]
}
},
"file": {
"created": "2019-09-12T12:39:01Z",
"ctime": "2019-09-12T12:40:01Z",
"name": "image003.jpg",
"size": 26055
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com",
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo@corp.com"
]
},
"to": {
"address": [
"first.last@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"email@corp.com"
]
},
"to": {
"address": [
"email@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "office365.eu.vadesecure.com",
"domain": "office365.eu.vadesecure.com",
"registered_domain": "vadesecure.com",
"subdomain": "office365.eu",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"ndr.journaling@corp.com"
]
},
"to": {
"address": [
"corp@office365.eu.vadesecure.com"
]
}
},
"file": {
"created": "2024-03-14T10:19:00Z",
"ctime": "2024-03-14T10:19:00Z",
"name": "image001.png",
"size": 8879
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"office365.eu.vadesecure.com",
"subdomain.key.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "subdomain.key.corp.com",
"domain": "subdomain.key.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "subdomain.key",
"top_level_domain": "com"
}
}
{
"message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"photo@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"file": {
"name": "?iso-8859-2?q?representative_on_migration.pdf?=",
"size": 259210
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"COMPUTER.sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "COMPUTER.sub.corp.com",
"domain": "COMPUTER.sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "COMPUTER.sub",
"top_level_domain": "com"
}
}
{
"message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "corp2.fr",
"domain": "corp2.fr",
"registered_domain": "corp2.fr",
"top_level_domain": "fr"
},
"email": {
"from": {
"address": [
"firstname.lastname@corp.fr"
]
},
"to": {
"address": [
"firstname.lastname@corp2.fr"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp2.fr",
"mail-corp123.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail-corp123.outbound.protection.outlook.com",
"domain": "mail-corp123.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail-corp123.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "1.1.1.1",
"domain": "smtp.office365.com",
"ip": "1.1.1.1"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"P212321.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "P212321.PROD.OUTLOOK.COM",
"domain": "P212321.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "P212321.PROD",
"top_level_domain": "COM"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "52.97.201.210",
"domain": "smtp.office365.com",
"ip": "52.97.201.210"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1111111111111.US0394.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"52.97.201.210"
]
},
"source": {
"address": "1111111111111.US0394.PROD.OUTLOOK.COM",
"domain": "1111111111111.US0394.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "1111111111111.US0394.PROD",
"top_level_domain": "COM"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"firstname.lastname@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "ns1.example.org",
"domain": "ns1.example.org",
"registered_domain": "example.org",
"subdomain": "ns1",
"top_level_domain": "org"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"ns1.example.org"
]
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"foreman-proxy@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.com"
]
}
}
{
"message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.localdomain",
"domain": "example.localdomain",
"subdomain": "example"
},
"email": {
"to": {
"address": [
"proxy@example.localdomain"
]
}
},
"log": {
"syslog": {
"appname": ""
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "sample.orig.to"
},
"related": {
"hosts": [
"example.localdomain"
]
}
}
{
"message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 2525,
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"john.doe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/local"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "jane.doe@example.com"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "aaaaaaaaaa=@pm.me"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "123456789: message-id=<foo@corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "foo@corp.com"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "othercorp.com",
"domain": "othercorp.com",
"registered_domain": "othercorp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo.bar@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@othercorp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"foo.key.corp.com",
"othercorp.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "foo.key.corp.com",
"domain": "foo.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "foo.key",
"top_level_domain": "com"
}
}
{
"message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "corp2.com",
"domain": "corp2.com",
"registered_domain": "corp2.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"firstname.firstname@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@corp2.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"HOSTNAME.key.corp.com",
"corp2.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "HOSTNAME.key.corp.com",
"domain": "HOSTNAME.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "HOSTNAME.key",
"top_level_domain": "com"
}
}
{
"message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
}
}
{
"message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"mechant@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"ip": "1.1.1.1",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AAA",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AAA",
"target": "network-traffic"
},
"destination": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"Coyotte@acme.com"
]
},
"to": {
"address": [
"BIPBIP.NEWMAN@acme.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com",
"example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.com",
"domain": "example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"top_level_domain": "com"
}
}
{
"message": "E43D43F838: uid=117 from=<no-reply@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pickup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/pipe"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN> Reject action: 550 5.7.23 210",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"ops@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Neutral",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"john.doem@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.mail.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.mail.protection.outlook.com",
"domain": "example.mail.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.mail.protection",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mail.example.org",
"domain": "mail.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mail",
"top_level_domain": "org"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"prvs=30447fe13=no-reply@example.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"doe@newsletter.example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mta-11-22-33-44.example.or"
],
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "mta-11-22-33-44.example.or",
"domain": "mta-11-22-33-44.example.or",
"ip": "11.22.33.44",
"subdomain": "mta-11-22-33-44.example"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.corp.com",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "mail",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"noreply@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "2.3.4.5"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"posta.example.org"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "posta.example.org",
"domain": "posta.example.org",
"ip": "2.3.4.5",
"registered_domain": "example.org",
"subdomain": "posta",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "policyd-spf"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "40.101.136.242",
"domain": "smtp.office365.com",
"ip": "40.101.136.242"
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"EXAMPLE.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"40.101.136.242"
]
},
"source": {
"address": "EXAMPLE.PROD.OUTLOOK.COM",
"domain": "EXAMPLE.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "EXAMPLE.PROD",
"top_level_domain": "COM"
}
}
{
"message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.19.65.1",
"domain": "10.19.65.1",
"ip": "10.19.65.1",
"port": 587
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"10.19.65.1"
],
"ip": [
"10.19.65.1"
]
}
}
{
"message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "163.172.55.8",
"domain": "smtp.example.org",
"ip": "163.172.55.8",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"163.172.55.8"
]
}
}
{
"message": "NOQUEUE: client=unknown[10.100.0.3]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.100.0.3",
"ip": "10.100.0.3"
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.100.0.3"
]
}
}
{
"message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
"event": {
"category": [
"email"
],
"reason": "unexpected EOF (Operation now in progress)",
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"port": 10030
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
]
}
}
{
"message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "mail2sms.smsbox.net",
"domain": "mail2sms.smsbox.net",
"ip": "127.0.0.1",
"port": 10025,
"registered_domain": "smsbox.net",
"subdomain": "mail2sms",
"top_level_domain": "net"
},
"email": {
"to": {
"address": [
"sms@mail2sms.smsbox.net"
]
}
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail2sms.smsbox.net"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "accept",
"outcome": "success",
"target": "network-traffic",
"type": "END-OF-MESSAGE"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"mx.example.org"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "smtp-in.example.com",
"ip": "5.6.7.8",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp-in.example.com"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"file": {
"name": "image018.png",
"size": 162328
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix-nospam/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"newsletter@wine.com"
]
},
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix-nospam/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "early-retry (10s missing)",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "early-retry (10s missing)",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4"
}
}
{
"message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AWL",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AWL",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: mx.example.org[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: unknown[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postgrey"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test1@acme.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/qmgr"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com"
]
},
"source": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
}
}
{
"message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/qmgr"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"hrd.corp.com"
]
},
"source": {
"address": "hrd.corp.com",
"domain": "hrd.corp.com",
"registered_domain": "corp.com",
"subdomain": "hrd",
"top_level_domain": "com"
}
}
{
"message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "srv.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"f.lastname@corp.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"srv.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "1.1.1.1",
"ip": "1.1.1.1",
"port": 10025
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.1.1.1"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"hola@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"EXAMPLE <[hola@example.org](mailto:hola@example.org)>",
"[noreply@example.org](mailto:noreply@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"Example Mailbox <[test@example.org](mailto:test@example.org)>",
"[noreply@example.org](mailto:noreply@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "2F46A140256: replace: header From: \"Example Help\" <help@example.org: From: [help@example.org](mailto:help@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"<help@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"\"Example Help\" <help@example.org",
"[help@example.org](mailto:help@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/cleanup"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "11.22.33.44",
"ip": "11.22.33.44"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"log": {
"syslog": {
"appname": "-"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"event": {
"category": [
"email"
],
"reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "exemple.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtp"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.com"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "192.168.100.124",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "BDAT"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.124",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
"event": {
"category": [
"email"
],
"reason": "Name or service not known",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.132"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.132",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "lost connection after AUTH from unknown[1.1.1.1]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "AUTH"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "connect from unknown[10.1.1.1] 88",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "connect",
"outcome": "success",
"target": "network-traffic"
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "10.1.1.1",
"ip": "10.1.1.1"
}
}
{
"message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mx.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"log": {
"syslog": {
"appname": "postfix/smtpd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<11111111111111@uexample.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 44944
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45880
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 49594
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "(unknown)"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 46436
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 39504
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 37172
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 56082
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 51336
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33278
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.com"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "test.com",
"domain": "test.com",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "test.com",
"top_level_domain": "com"
}
}
{
"message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 53684,
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.host.test"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "test.host.test",
"domain": "test.host.test",
"ip": "127.0.0.1",
"port": 44702,
"subdomain": "test.host"
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 36236
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 41352
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 42678
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45060
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45920
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"log": {
"syslog": {
"appname": "spamd"
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33254
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "statistics: max connection count 10 for (smtp:1.2.3.4) at Sep 11 10:47:30",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "2298F5F619: to=<admin@corp.com>, relay=none, delay=89758, delays=89758/0.02/0/0, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect to mail.corp.com[1.1.1.1]:25: Connection timed out) 215",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"admin@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "11FDF5F62A: to=<USER@sub.corp.com>, relay=local, delay=80181, delays=80181/0.02/0/0, dsn=4.0.0, status=deferred (user lookup error)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"USER@sub.corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
]
}
}
{
"message": "3D770111AF50: to=<username@corp.com>, relay=none, delay=1.2, delays=1.1/0/0.03/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=corp.com type=AAAA: Host not found)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "bounced",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"username@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "77EFFC0015: warning: header Content-Disposition: inline; filename=\"image003.jpg\"; size=26055;??creation-date=\"Thu, 12 Sep 2019 12:39:01 GMT\";??modification-date=\"Thu, 12 Sep 2019 12:40:01 GMT\" from mail.outbound.protection.outlook.com[1.1.1.1]; from=<> to=<john.doe@exemple.com> proto=ESMTP helo=<NAM03.outbound.protection.outlook.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "exemple.com",
"domain": "exemple.com",
"registered_domain": "exemple.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"john.doe@exemple.com"
]
}
},
"file": {
"created": "2019-09-12T12:39:01Z",
"ctime": "2019-09-12T12:40:01Z",
"name": "image003.jpg",
"size": 26055
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com",
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "3D770111AF50: warning: header Subject: Manquants LASTNAME GB Nouvelle version from unknown[10.1.1.1]; from=<foo@corp.com> to=<first.last@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo@corp.com"
]
},
"to": {
"address": [
"first.last@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "2CE6C111AF50: warning: header Subject: =?ISO-8859-1?Q?Pb_FTP_=3A_999_Aucune_action_effectu=E9e?= from unknown[10.1.1.1]; from=<email@corp.com> to=<email@corp.com> proto=ESMTP helo=<SUBDOMAIN.CORP.COM> 279",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"email@corp.com"
]
},
"to": {
"address": [
"email@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"SUBDOMAIN.CORP.COM",
"corp.com"
],
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "SUBDOMAIN.CORP.COM",
"domain": "SUBDOMAIN.CORP.COM",
"ip": "10.1.1.1",
"registered_domain": "CORP.COM",
"subdomain": "SUBDOMAIN",
"top_level_domain": "COM"
}
}
{
"message": "B4B613F8B7: warning: header Content-Disposition: inline; filename=\"image001.png\"; size=8879;??creation-date=\"Thu, 14 Mar 2024 10:19:00 GMT\";??modification-date=\"Thu, 14 Mar 2024 10:19:00 GMT\" from subdomain.key.corp.com[1.1.1.1]; from=<ndr.journaling@corp.com> to=<corp@office365.eu.vadesecure.com> proto=ESMTP helo=<subdomain.key.corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "office365.eu.vadesecure.com",
"domain": "office365.eu.vadesecure.com",
"registered_domain": "vadesecure.com",
"subdomain": "office365.eu",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"ndr.journaling@corp.com"
]
},
"to": {
"address": [
"corp@office365.eu.vadesecure.com"
]
}
},
"file": {
"created": "2024-03-14T10:19:00Z",
"ctime": "2024-03-14T10:19:00Z",
"name": "image001.png",
"size": 8879
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"office365.eu.vadesecure.com",
"subdomain.key.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "subdomain.key.corp.com",
"domain": "subdomain.key.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "subdomain.key",
"top_level_domain": "com"
}
}
{
"message": "707A12000A: warning: header Content-Disposition: attachment;??filename=\"?iso-8859-2?q?representative_on_migration.pdf?=\"; size=259210;?? from local; from=<photo@mordor.com> to=<Pipin.touque@lacomte.net>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"photo@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"file": {
"name": "?iso-8859-2?q?representative_on_migration.pdf?=",
"size": 259210
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "486D13F8B7: client=COMPUTER.sub.corp.com[1.1.1.1]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"COMPUTER.sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "COMPUTER.sub.corp.com",
"domain": "COMPUTER.sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "COMPUTER.sub",
"top_level_domain": "com"
}
}
{
"message": "8116C5F683: action=pass, reason=client whitelist, client_name=mail-corp123.outbound.protection.outlook.com, client_address=1.1.1.1/32, sender=firstname.lastname@corp.fr, recipient=firstname.lastname@corp2.fr",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "corp2.fr",
"domain": "corp2.fr",
"registered_domain": "corp2.fr",
"top_level_domain": "fr"
},
"email": {
"from": {
"address": [
"firstname.lastname@corp.fr"
]
},
"to": {
"address": [
"firstname.lastname@corp2.fr"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp2.fr",
"mail-corp123.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail-corp123.outbound.protection.outlook.com",
"domain": "mail-corp123.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail-corp123.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=0/1 quit=1 commands=3/4",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[1.1.1.1] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=P212321.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "1.1.1.1",
"domain": "smtp.office365.com",
"ip": "1.1.1.1"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"P212321.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "P212321.PROD.OUTLOOK.COM",
"domain": "P212321.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "P212321.PROD",
"top_level_domain": "COM"
}
}
{
"message": "53C2C140E40: host smtp.office365.com[52.97.201.210] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=1111111111111.US0394.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "52.97.201.210",
"domain": "smtp.office365.com",
"ip": "52.97.201.210"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1111111111111.US0394.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"52.97.201.210"
]
},
"source": {
"address": "1111111111111.US0394.PROD.OUTLOOK.COM",
"domain": "1111111111111.US0394.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "1111111111111.US0394.PROD",
"top_level_domain": "COM"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from localhost[127.0.0.1] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7 93",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"localhost"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "localhost",
"domain": "localhost",
"ip": "127.0.0.1"
}
}
{
"message": "disconnect from unknown[1.1.1.1] ehlo=1 mail=1 rcpt=2 data=1 quit=1 commands=6 137",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "disconnect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "EF0B15F675: to=<firstname.lastname@corp.com>, relay=spamfilter, delay=4.2, delays=1.6/0/0/2.6, dsn=2.0.0, status=sent (delivered via spamfilter service) 148",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "corp.com",
"domain": "corp.com",
"registered_domain": "corp.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"firstname.lastname@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
]
}
}
{
"message": "dns: new_dns_packet: domain is utf8 flagged: ns1.example.org",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "ns1.example.org",
"domain": "ns1.example.org",
"registered_domain": "example.org",
"subdomain": "ns1",
"top_level_domain": "org"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"ns1.example.org"
]
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "B84078B26C7: to=<foreman-proxy@example.com>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"to": {
"address": [
"foreman-proxy@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.com"
]
}
}
{
"message": "B84078B26C7: to=proxy@example.localdomain, orig_to=sample.orig.to, relay=local, delay=0.05, delays=0.04/0.02/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.localdomain",
"domain": "example.localdomain",
"subdomain": "example"
},
"email": {
"to": {
"address": [
"proxy@example.localdomain"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "sample.orig.to"
},
"related": {
"hosts": [
"example.localdomain"
]
}
}
{
"message": "04B953035FC2: to=john.doe@example.org, orig_to=jane.doe@example.com, relay=127.0.0.1:2525, delay=0.44, delays=0.13/0/0.02/0.29, dsn=2.0.0, status=sent (250 Ok)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 2525,
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"john.doe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "jane.doe@example.com"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "476295F5AD: message-id=<aaaaaaaaaa=@pm.me>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "aaaaaaaaaa=@pm.me"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "123456789: message-id=<foo@corp.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "foo@corp.com"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "NOQUEUE: filter: RCPT from foo.key.corp.com[192.168.1.1]: <foo.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<foo.bar@subdomain.corp.com> to=<firstname.lastname@othercorp.com> proto=ESMTP helo=<foo.key.corp.com> 294",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "othercorp.com",
"domain": "othercorp.com",
"registered_domain": "othercorp.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"foo.bar@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@othercorp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"foo.key.corp.com",
"othercorp.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "foo.key.corp.com",
"domain": "foo.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "foo.key",
"top_level_domain": "com"
}
}
{
"message": "NOQUEUE: filter: RCPT from HOSTNAME.key.corp.com[192.168.1.1]: <HOSTNAME.key.corp.com[192.168.1.1]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<firstname.firstname@subdomain.corp.com> to=<firstname.lastname@corp2.com> proto=ESMTP helo=<HOSTNAME.key.corp.com> 299",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "filter",
"outcome": "success",
"target": "network-traffic",
"type": "RCPT"
},
"destination": {
"address": "corp2.com",
"domain": "corp2.com",
"registered_domain": "corp2.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"firstname.firstname@subdomain.corp.com"
]
},
"to": {
"address": [
"firstname.lastname@corp2.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"HOSTNAME.key.corp.com",
"corp2.com"
],
"ip": [
"192.168.1.1"
]
},
"source": {
"address": "HOSTNAME.key.corp.com",
"domain": "HOSTNAME.key.corp.com",
"ip": "192.168.1.1",
"registered_domain": "corp.com",
"subdomain": "HOSTNAME.key",
"top_level_domain": "com"
}
}
{
"message": "Anonymous TLS connection established to example.org[1.2.3.4]:25: TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
}
}
{
"message": "action=pass, reason=triplet found, delay=2400, client_name=mordor.com, client_address=1.1.1.1, sender=mechant@mordor.com, recipient=Pipin.touque@lacomte.net",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "lacomte.net",
"domain": "lacomte.net",
"registered_domain": "lacomte.net",
"top_level_domain": "net"
},
"email": {
"from": {
"address": [
"mechant@mordor.com"
]
},
"to": {
"address": [
"Pipin.touque@lacomte.net"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"lacomte.net",
"mordor.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mordor.com",
"domain": "mordor.com",
"ip": "1.1.1.1",
"registered_domain": "mordor.com",
"top_level_domain": "com"
}
}
{
"message": "action=pass, reason=client AAA, client_name=example.com, client_address=1.2.3.4, sender=Coyotte@acme.com, recipient=BIPBIP.NEWMAN@acme.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AAA",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AAA",
"target": "network-traffic"
},
"destination": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"Coyotte@acme.com"
]
},
"to": {
"address": [
"BIPBIP.NEWMAN@acme.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com",
"example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.com",
"domain": "example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"top_level_domain": "com"
}
}
{
"message": "E43D43F838: uid=117 from=<no-reply@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "Action: prepend: Text: Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=ops@corp.com; receiver=<UNKNOWN> Reject action: 550 5.7.23 210",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"ops@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Neutral; identity=mailfrom; client-ip=1.2.3.4; helo=example.mail.protection.outlook.com; envelope-from=john.doem@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Neutral",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"john.doem@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.mail.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.mail.protection.outlook.com",
"domain": "example.mail.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.mail.protection",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Pass; identity=helo; client-ip=1.2.3.4; helo=mail.example.org; envelope-from=<>; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mail.example.org",
"domain": "mail.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mail",
"top_level_domain": "org"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Permerror; identity=helo; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Permerror; identity=mailfrom; client-ip=1.2.3.4; helo=example.org; envelope-from=no-reply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Permerror",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"no-reply@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=noreply@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"noreply@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=mx.example.com; envelope-from=prvs=30447fe13=no-reply@example.com; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"prvs=30447fe13=no-reply@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "1.2.3.4",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "prepend Received-SPF: Fail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Neutral (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: None (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "prepend Received-SPF: None (no SPF record) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Pass (sender SPF authorized) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Permerror (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (domain owner discourages use of this host) identity=helo; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "prepend Received-SPF",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "prepend Received-SPF: Softfail (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=smtp.example.org; envelope-from=jdoe@example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=11.22.33.44; helo=mta-11-22-33-44.example.or; envelope-from=doe@newsletter.example.org; receiver=<UNKNOWN>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"doe@newsletter.example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mta-11-22-33-44.example.or"
],
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "mta-11-22-33-44.example.or",
"domain": "mta-11-22-33-44.example.or",
"ip": "11.22.33.44",
"subdomain": "mta-11-22-33-44.example"
}
}
{
"message": "Pass; identity=mailfrom; client-ip=1.1.1.1; helo=mail.corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 131",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Pass",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.corp.com",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "mail",
"top_level_domain": "com"
}
}
{
"message": "None; identity=helo; client-ip=1.1.1.1; helo=sub.corp.com; envelope-from=noreply@corp.com; receiver=<UNKNOWN> 128",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"noreply@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"sub.corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "sub.corp.com",
"domain": "sub.corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"subdomain": "sub",
"top_level_domain": "com"
}
}
{
"message": "Softfail; identity=mailfrom; client-ip=1.1.1.1; helo=corp.com; envelope-from=username@corp.com; receiver=<UNKNOWN> 120",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "Softfail",
"outcome": "success",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"username@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"corp.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "corp.com",
"domain": "corp.com",
"ip": "1.1.1.1",
"registered_domain": "corp.com",
"top_level_domain": "com"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (mailfrom) identity=mailfrom; client-ip=2.3.4.5; helo=[1.2.3.4]; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.2.3.4"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "1.2.3.4",
"domain": "1.2.3.4",
"ip": "2.3.4.5"
}
}
{
"message": "Action: prepend: Text: Received-SPF: None (no SPF record) identity=helo; client-ip=2.3.4.5; helo=posta.example.org; envelope-from=<>; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"posta.example.org"
],
"ip": [
"2.3.4.5"
]
},
"source": {
"address": "posta.example.org",
"domain": "posta.example.org",
"ip": "2.3.4.5",
"registered_domain": "example.org",
"subdomain": "posta",
"top_level_domain": "org"
}
}
{
"message": "Action: prepend: Text: Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=1.2.3.4; helo=example.outbound.protection.outlook.com; envelope-from=jdoe@example.org; receiver=<UNKNOWN> Reject action: 550 5.7.23",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "reject",
"outcome": "success",
"outcome_reason": "SPF validation failed",
"target": "network-traffic"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.outbound.protection.outlook.com"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "example.outbound.protection.outlook.com",
"domain": "example.outbound.protection.outlook.com",
"ip": "1.2.3.4",
"registered_domain": "outlook.com",
"subdomain": "example.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "7B082110A6E0: host smtp.office365.com[40.101.136.242] said: 432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "432 4.3.2 Concurrent connections limit exceeded. Visit https://aka.ms/concurrent_sending for more information. [Hostname=EXAMPLE.PROD.OUTLOOK.COM] (in reply to end of DATA command)",
"type": [
"info"
]
},
"action": {
"outcome": "success",
"outcome_reason": "The recipient`s Exchange Server incoming mail queue has been stopped",
"target": "network-traffic",
"type": "end of DATA"
},
"destination": {
"address": "40.101.136.242",
"domain": "smtp.office365.com",
"ip": "40.101.136.242"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"EXAMPLE.PROD.OUTLOOK.COM",
"smtp.office365.com"
],
"ip": [
"40.101.136.242"
]
},
"source": {
"address": "EXAMPLE.PROD.OUTLOOK.COM",
"domain": "EXAMPLE.PROD.OUTLOOK.COM",
"registered_domain": "OUTLOOK.COM",
"subdomain": "EXAMPLE.PROD",
"top_level_domain": "COM"
}
}
{
"message": "01B3A96050: Used TLS for 10.19.65.1[10.19.65.1]:587",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.19.65.1",
"domain": "10.19.65.1",
"ip": "10.19.65.1",
"port": 587
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"10.19.65.1"
],
"ip": [
"10.19.65.1"
]
}
}
{
"message": "023069605C: Used TLS for smtp.example.org[163.172.55.8]:25",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "163.172.55.8",
"domain": "smtp.example.org",
"ip": "163.172.55.8",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp.example.org"
],
"ip": [
"163.172.55.8"
]
}
}
{
"message": "NOQUEUE: client=unknown[10.100.0.3]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "10.100.0.3",
"ip": "10.100.0.3"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.100.0.3"
]
}
}
{
"message": "warning: read TCP map reply from 127.0.0.1:10030: unexpected EOF (Operation now in progress)",
"event": {
"category": [
"email"
],
"reason": "unexpected EOF (Operation now in progress)",
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"port": 10030
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
]
}
}
{
"message": "0A90996059: to=<sms@mail2sms.smsbox.net>, relay=localhost[127.0.0.1]:10025, conn_use=3, delay=5.2, delays=0/0/0/5.2, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0BF0C9605C)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "mail2sms.smsbox.net",
"domain": "mail2sms.smsbox.net",
"ip": "127.0.0.1",
"port": 10025,
"registered_domain": "smsbox.net",
"subdomain": "mail2sms",
"top_level_domain": "net"
},
"email": {
"to": {
"address": [
"sms@mail2sms.smsbox.net"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail2sms.smsbox.net"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "proxy-accept: END-OF-MESSAGE: 250 2.0.0 Ok: queued as 7949396087; from=<jdoe@example.org> to=<jane.doe@example.org> proto=ESMTP helo=<mx.example.org>",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "accept",
"outcome": "success",
"target": "network-traffic",
"type": "END-OF-MESSAGE"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"mx.example.org"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "D2D459605C: Used TLS for smtp-in.example.com[5.6.7.8]:25",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "smtp-in.example.com",
"ip": "5.6.7.8",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"smtp-in.example.com"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "581B85F5B3: warning: header Content-Disposition: inline; filename=\"\"image018.png\"\"; size=162328;??creation-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\";??modification-date=\"\"Thu, 11 Apr 2024 07:53:08 GMT\"\" from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"file": {
"name": "image018.png",
"size": 162328
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "59B835F5AD: warning: header Content-Disposition: attachment;??filename=\"\"=?utf-8?B?111111111111111111111111111111111111111111111111111111111111?=? =?utf-8?B?222222222222222222222222222222222222222222222222222222222222?=? =?utf-8? from local; from=<jdoe@example.org> to=<jane.doe@example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "EBA403F815: message-id=<74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "74c99d8a-eb8b-4045-ae8e-6d3f6d51b41d@example.org"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "000FA5FD8F: prepend: header From: John Doe <jdoe@example.org> from localhost[127.0.0.1]; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: TRUE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "008BB5FD76: prepend: header From: =?UTF-8?q?Cellier_du_P=C3=A9rigord?=??<newsletter@wine.com> from localhost[127.0.0.1]; from=<newsletter@wine.com> to=<jdoe@example.org> proto=ESMTP helo=<smtp.example.org>: X-NMFP-TRUST: FALSE",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"from": {
"address": [
"newsletter@wine.com"
]
},
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org",
"smtp.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "smtp.example.org",
"domain": "smtp.example.org",
"ip": "127.0.0.1",
"registered_domain": "example.org",
"subdomain": "smtp",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=early-retry (10s missing), client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "early-retry (10s missing)",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "early-retry (10s missing)",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=greylist, reason=new, client_name=unknown, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "new",
"type": [
"info"
]
},
"action": {
"name": "greylist",
"outcome": "success",
"outcome_reason": "new",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"domain": "example.org",
"ip": "1.2.3.4"
}
}
{
"message": "action=pass, reason=client AWL, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client AWL",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client AWL",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=client whitelist, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "client whitelist",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "client whitelist",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "action=pass, reason=triplet found, client_name=mx.example.org, client_address=1.2.3.4/32, sender=jdoe@example.org, recipient=jane.doe@example.com",
"event": {
"category": [
"email"
],
"outcome": "success",
"reason": "triplet found",
"type": [
"info"
]
},
"action": {
"name": "pass",
"outcome": "success",
"outcome_reason": "triplet found",
"target": "network-traffic"
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: mx.example.org[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "1.2.3.4",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "whitelisted: unknown[1.2.3.4/32]",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "89BE920002: from=<test1@acme.com>, size=152518, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test1@acme.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"acme.com"
]
},
"source": {
"address": "acme.com",
"domain": "acme.com",
"registered_domain": "acme.com",
"top_level_domain": "com"
}
}
{
"message": "074955F67C: from=<bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com>, size=4303, nrcpt=1 (queue active)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"bounce+41deb4.277afa-Heather.STEWART=corp.com@hrd.corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"hrd.corp.com"
]
},
"source": {
"address": "hrd.corp.com",
"domain": "hrd.corp.com",
"registered_domain": "corp.com",
"subdomain": "hrd",
"top_level_domain": "com"
}
}
{
"message": "CA9311112C08: to=<f.lastname@corp.com>, relay=srv.corp.com[1.1.1.1]:25, delay=8.4, delays=7.6/0/0.31/0.47, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4TwNdH5zwCz7fxV) 257",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "srv.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"f.lastname@corp.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"srv.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "56E28C0007: to=<rob@exemple.com>, relay=1.1.1.1[1.1.1.1]:10025, delay=0.63, delays=0.57/0/0.05/0.01, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as DF82A21108)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "1.1.1.1",
"ip": "1.1.1.1",
"port": 10025
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"1.1.1.1"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "95BCC140E40: replace: header From: EXAMPLE <[hola@example.org](mailto:hola@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"hola@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"EXAMPLE <[hola@example.org](mailto:hola@example.org)>",
"[noreply@example.org](mailto:noreply@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "95BCC140E40: replace: header From: Example Mailbox <[test@example.org](mailto:test@example.org)>: From: [noreply@example.org](mailto:noreply@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"test@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"Example Mailbox <[test@example.org](mailto:test@example.org)>",
"[noreply@example.org](mailto:noreply@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "2F46A140256: replace: header From: \"Example Help\" <help@example.org: From: [help@example.org](mailto:help@example.org)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"from": {
"address": [
"<help@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"headers": {
"from": [
"\"Example Help\" <help@example.org",
"[help@example.org](mailto:help@example.org)"
]
}
},
"related": {
"hosts": [
"example.org"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "warning: unknown[11.22.33.44]: SASL LOGIN authentication failed: authentication failure",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure",
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"11.22.33.44"
]
},
"source": {
"address": "11.22.33.44",
"ip": "11.22.33.44"
}
}
{
"message": "175127B26C7: to=<jdoe@example.org>, orig_to=<foreman-proxy>, relay=local, delay=0.05, delays=0.04/0.01/0/0, dsn=2.0.0, status=sent (delivered to mailbox)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "foreman-proxy"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "1176E3F820: to=<jdoe@example.org>, orig_to=<dmarc@example.org>, relay=spamfilter, delay=3.3, delays=0.78/0/0/2.5, dsn=2.0.0, status=sent (delivered via spamfilter service)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"target": "network-traffic"
},
"destination": {
"address": "example.org",
"domain": "example.org",
"registered_domain": "example.org",
"top_level_domain": "org"
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"postfix": {
"orig_to": "dmarc@example.org"
},
"related": {
"hosts": [
"example.org"
]
}
}
{
"message": "7B3643F820: to=<jdoe@example.org>, relay=127.0.0.1[127.0.0.1]:10025, delay=0.08, delays=0.03/0/0.01/0.05, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 837B35FD17)",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "sent",
"outcome": "success",
"outcome_reason": "success",
"target": "network-traffic"
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"email": {
"to": {
"address": [
"jdoe@example.org"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "05BC43F81E: host mx.example.org[5.6.7.8] said: 421 4.3.0 Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"event": {
"category": [
"email"
],
"reason": "Upstream error, please check https://example.com/email-routing/postmaster for possible reasons why. yrtPbwx4hZz2 (in reply to end of DATA command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "30D713F81F: host mx.example.org[5.6.7.8] said: 450 4.1.1 <abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"event": {
"category": [
"email"
],
"reason": "<abuse@example.com>: Recipient address rejected: unverified address: Mailbox might be disabled, full, or may not exist on the server. Reason: JFE030050 (in reply to RCPT TO command)",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mx.example.org[5.6.7.8]:25: No route to host",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
}
}
{
"message": "connect to mail.corp.com[1.1.1.1]:25: Connection timed out 125",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mail.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "96887C0006: to=<rob@exemple.com>, relay=exemple.com[1.1.1.1]:25, delay=354776, delays=354775/0/0.9/0.16, dsn=4.3.1, status=deferred (host exemple.com[1.1.1.1] said: 452 4.3.1 Insufficient system storage (in reply to MAIL FROM command))",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "deferred",
"outcome": "success",
"outcome_reason": "The recipient`s mail server is experiencing a Disk Full condition",
"target": "network-traffic"
},
"destination": {
"address": "1.1.1.1",
"domain": "exemple.com",
"ip": "1.1.1.1",
"port": 25
},
"email": {
"to": {
"address": [
"rob@exemple.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"exemple.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "021C03F820: filter: RCPT from mx.example.org[192.168.100.124]: <mx.example.org[192.168.100.124]>: Client host triggers FILTER smtp:[127.0.0.1]:10025; from=<jdoe@example.org> to=<jane.doe@example.com> proto=ESMTP helo=<mx.example.com>",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "example.com",
"domain": "example.com",
"registered_domain": "example.com",
"top_level_domain": "com"
},
"email": {
"from": {
"address": [
"jdoe@example.org"
]
},
"to": {
"address": [
"jane.doe@example.com"
]
}
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.com",
"mx.example.com"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.com",
"domain": "mx.example.com",
"ip": "192.168.100.124",
"registered_domain": "example.com",
"subdomain": "mx",
"top_level_domain": "com"
}
}
{
"message": "lost connection after BDAT from mx.example.org[192.168.100.124]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "BDAT"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.124"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.124",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: hostname mx.example.org does not resolve to address 5.6.7.8: Name or service not known",
"event": {
"category": [
"email"
],
"reason": "Name or service not known",
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"5.6.7.8"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "5.6.7.8",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "warning: mx.example.org[192.168.100.132]: SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"event": {
"category": [
"email"
],
"reason": "SASL LOGIN authentication failed: authentication failure, sasl_username=john.doe@exmaple.org",
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"192.168.100.132"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "192.168.100.132",
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "lost connection after AUTH from unknown[1.1.1.1]",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "lost connection",
"outcome": "success",
"target": "network-traffic",
"type": "AUTH"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "1.1.1.1",
"ip": "1.1.1.1"
}
}
{
"message": "connect from unknown[10.1.1.1] 88",
"event": {
"category": [
"email"
],
"outcome": "success",
"type": [
"info"
]
},
"action": {
"name": "connect",
"outcome": "success",
"target": "network-traffic"
},
"network": {
"protocol": "smtp"
},
"related": {
"ip": [
"10.1.1.1"
]
},
"source": {
"address": "10.1.1.1",
"ip": "10.1.1.1"
}
}
{
"message": "Trusted TLS connection established from mail.outbound.protection.outlook.com[1.1.1.1]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mail.outbound.protection.outlook.com"
],
"ip": [
"1.1.1.1"
]
},
"source": {
"address": "mail.outbound.protection.outlook.com",
"domain": "mail.outbound.protection.outlook.com",
"ip": "1.1.1.1",
"registered_domain": "outlook.com",
"subdomain": "mail.outbound.protection",
"top_level_domain": "com"
}
}
{
"message": "Trusted TLS connection established to mx.corp.com[1.1.1.1]:25: TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "1.1.1.1",
"domain": "mx.corp.com",
"ip": "1.1.1.1",
"port": 25
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.corp.com"
],
"ip": [
"1.1.1.1"
]
}
}
{
"message": "Trusted TLS connection established to 127.0.0.1[127.0.0.1]:10025: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 201",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 10025
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
]
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,SPF_HELO_NONE,SPF_PASS,T_KAM_HTML_FONT_INVALID scantime=3.4,size=120289,user=debian-spamd,uid=119,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=44944,mid=<11111111111111@uexample.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<11111111111111@uexample.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 44944
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,HTML_IMAGE_RATIO_04,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.7,size=102578,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45880,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45880
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,FREEMAIL_REPLYTO_END_DIGIT,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,T_FREEMAIL_DOC_PDF scantime=4.7,size=2252595,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=49594,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 49594
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DMARC_PASS,MIME_HEADER_CTYPE_ONLY,MISSING_DATE,MISSING_MID,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=4260,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=46436,mid=(unknown),autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "(unknown)"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 46436
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=8094,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=39504,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 39504
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=61589,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=37172,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 37172
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_FONT_LOW_CONTRAST,HTML_IMAGE_RATIO_08,HTML_MESSAGE,LOTS_OF_MONEY,MIME_HTML_MOSTLY,MPART_ALT_DIFF,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS scantime=3.3,size=164381,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=56082,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 56082
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,HTML_OBFUSCATE_05_10,MIME_HTML_ONLY,SPF_HELO_PASS,SPF_PASS scantime=2.5,size=1572,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=51336,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 51336
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -6 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS scantime=2.6,size=7882,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33278,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33278
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: connection from test.com [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.com"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "test.com",
"domain": "test.com",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "test.com",
"top_level_domain": "com"
}
}
{
"message": "spamd: connection from mx.example.org [127.0.0.1]:33620 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"mx.example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "mx.example.org",
"domain": "mx.example.org",
"ip": "127.0.0.1",
"port": 33620,
"registered_domain": "example.org",
"subdomain": "mx",
"top_level_domain": "org"
}
}
{
"message": "spamd: connection from example.org [127.0.0.1]:53684 to port 783, fd 5",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"destination": {
"port": 783
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"example.org"
],
"ip": [
"127.0.0.1"
]
},
"source": {
"address": "example.org",
"domain": "example.org",
"ip": "127.0.0.1",
"port": 53684,
"registered_domain": "example.org",
"top_level_domain": "org"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAYAAAAAAAAA111111111111111111111111111111111/22222222222222/u47tEBAAAAAA==@example.org"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "!&!AAAAAAAAAAAuAAAAAAAAAOC333333333333333333333333333333333333333q555555555555555555555555555555555555555555555555=@yahoo.fr"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "0113018ecc14540b-4a312890-d3e4-4332-887c-1d5be7521aa1-000000@eu-west-3.amazonses.com"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com> for debian-spamd:118",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "55555555555555555555555555555555555-8nmAAKsF_9_U+fg@mail.gmail.com"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: processing message <66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM> for debian-spamd:117",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "66666666666666666666666666666666666666@EXAMPLE.PROD.OUTLOOK.COM"
},
"network": {
"protocol": "smtp"
}
}
{
"message": "spamd: result: . -1 - AC_DIV_BONANZA,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,URI_NOVOWEL scantime=3.2,size=209868,user=debian-spamd,uid=117,required_score=5.0,rhost=test.host.test,raddr=127.0.0.1,rport=44702,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"test.host.test"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "test.host.test",
"domain": "test.host.test",
"ip": "127.0.0.1",
"port": 44702,
"subdomain": "test.host"
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - ANY_BOUNCE_MESSAGE,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,OOOBOUNCE_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.7,size=14228,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=36236,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 36236
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - APOSTROPHE_FROM,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS scantime=4.9,size=575869,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=41352,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 41352
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,PDS_BTC_ID,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_NONE scantime=5.3,size=468649,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=42678,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 42678
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DEAR_SOMETHING,DMARC_PASS,HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE,SPF_PASS scantime=2.8,size=3254,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45060,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45060
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FORGED_SPF_HELO,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE scantime=2.3,size=10467,user=debian-spamd,uid=118,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=45920,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 45920
},
"user": {
"name": "debian-spamd"
}
}
{
"message": "spamd: result: . -1 - DKIM_INVALID,DKIM_SIGNED,HEADER_FROM_DIFFERENT_DOMAINS,HTML_FONT_LOW_CONTRAST,HTML_MESSAGE,MIME_HTML_ONLY,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,T_REMOTE_IMAGE scantime=2.9,size=65264,user=debian-spamd,uid=117,required_score=5.0,rhost=127.0.0.1,raddr=127.0.0.1,rport=33254,mid=<111111111111111111111111111111111111@mx.example.org>,autolearn=disabled",
"event": {
"category": [
"email"
],
"type": [
"info"
]
},
"email": {
"message_id": "<111111111111111111111111111111111111@mx.example.org>"
},
"network": {
"protocol": "smtp"
},
"related": {
"hosts": [
"127.0.0.1"
],
"ip": [
"127.0.0.1"
],
"user": [
"debian-spamd"
]
},
"source": {
"address": "127.0.0.1",
"domain": "127.0.0.1",
"ip": "127.0.0.1",
"port": 33254
},
"user": {
"name": "debian-spamd"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
action.target |
keyword |
|
destination.address |
keyword |
Destination network address. |
destination.domain |
keyword |
The domain name of the destination. |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
email.from.address |
keyword |
The sender's email address. |
email.message_id |
wildcard |
Value from the Message-ID header. |
email.to.address |
keyword |
Email address of recipient |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
file.created |
date |
File creation time. |
file.ctime |
date |
Last time the file attributes or metadata changed. |
file.name |
keyword |
Name of the file including the extension, without the directory. |
file.size |
long |
File size in bytes. |
network.protocol |
keyword |
Application protocol name. |
postfix.headers.from |
array |
|
postfix.orig_to |
keyword |
|
source.address |
keyword |
Source network address. |
source.domain |
keyword |
The domain name of the source. |
source.ip |
ip |
IP address of the source. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.