浅析邮件日志(2)
在这些列中,我们需要重点了解其中两列的值所代表的含义:
MSGID作为当前邮件的标识,在邮件存在的整个生命周期中始终保持不变。例如,在上面的两条记录中,MSGID都是E830238C2711FB4BA337AD16A10C626F57CF@TEST01.TEST.GTSC 因此,我们可以利用它来识别邮件是否为同一封邮件。
Event-ID指出了当前所记录事件的类型。邮件从投递到完成发送,需要经历不同的阶段和事件,例如:SMTP: Message Submitted to Categorizer,SMTP: Started Outbound Transfer of Message。对应于每一个事件,我们都有相应的Event-ID。这样才能更真实地跟踪邮件的流向。
这里,我们列出了Exchange 2003服务器上可能遇到的所有事件,以便于你更好地理解跟踪日志的内容。
|
ID |
具体描述 |
|
0 |
The message was received from a server, connector, or gateway. |
|
1 |
An X.400 Probe was received from a gateway, link, or MTA. |
|
2 |
A delivery receipt or NDR was received from a server, connector,or gateway. |
|
4 |
The message was sent by the client. |
|
5 |
An X.400 Probe was received from a user. |
|
6 |
An X.400 Probe was sent to a gateway, link, or MTA. |
|
7 |
The message was sent to a server,connector, or gateway. |
|
8 |
A delivery receipt or NDR was sent to a server, connector, or gateway. |
|
9 |
The message was delivered to a mailbox or public folder. |
|
10 |
A delivery receipt or NDR was delivered to a mailbox. |
|
18 |
StartAssocByMTSUser |
|
23 |
ReleaseAssocByMTSUse. |
|
26 |
A recipient distribution list was expanded so the message could be sent to different addresses. |
|
28 |
The message was sent to a mailbox other than those of the recipients. |
|
29 |
The message was routed to an alternate path. |
|
31 |
An X.400 message was downgraded to 1984 format prior to relay. |
|
33 |
The number of delivery receipts or NDRs exceeded a threshold, and the reports were deleted. |
|
34 |
A delivery receipt or NDR was created. |
|
43 |
A delivery receipt or NDR could not be routed and was deleted from the queue. |
|
50 |
The Administrator deleted an X.400 message queued for a gateway. |
|
51 |
The Administrator deleted an X.400 probe queued for a gateway. |
|
52 |
The administrator deleted an X.400 report queued for a gateway. |
|
1000 |
The sender and recipient are on the same server. |
|
1001 |
Mail was received from another MAPI system across a connector or gateway. |
|
1002 |
Mail was sent to another MAPI system across a connector or gateway. |
|
1003 |
The message was sent through a gateway. |
|
1004 |
The message was received from a gateway. |
|
1005 |
A delivery receipt or NDR was received from a gateway. |
|
1006 |
A delivery receipt or NDR was sent through a gateway. |
|
1007 |
A gateway generated an NDR for a message. |
|
1010 |
Outbound mail was queued for delivery by the Internet Mail Service. |
|
1011 |
Outbound Outbound mail was transferred to an Internet recipient. |
|
1012 |
Inbound Inbound mail was received from by the Internet Mail Service. |
|
1013 |
Inbound Mail received by the Internet Mail Service was transferred to the Information Store. |
|
1014 |
An Internet message is being rerouted or forwarded to the proper location. |
|
1015 |
A delivery receipt or NDR was received by the Internet Mail Service. |
|
1016 |
A delivery receipt or NDR was sent to the Internet Mail Service. |
|
1017 |
A delivery receipt or NDR was created. |
|
1018 |
The receipt or NDR could not be delivered, and was absorbed. (It is not possible to send an NDR for an NDR.) |
|
1019 |
SMTP: Message Submitted to Advanced Queuing. |
|
1020 |
SMTP: Started Outbound Transfer of Message. |
|
1021 |
SMTP: Message Sent to Badmail |
|
1022 |
SMTP: Advanced Queue Failure |
|
1023 |
SMTP: Message Delivered Locally |
|
1024 |
SMTP: Message Submitted to Categorizer |
|
1025 |
SMTP: Started Message Submission to Advanced Queue |
|
1026 |
SMTP: Advanced Queue Failed to Deliver Message |
|
1027 |
SMTP Store Driver: Message Submitted from Store |
|
1028 |
SMTP Store Driver: Message Delivered Locally to Store |
|
1029 |
SMTP Store Driver Submitted Message to MTA |
|
1030 |
SMTP: Non-Delivered Report (NDR) Generated |
|
1031 |
SMTP: Ending Outbound Transfer |
|
1032 |
SMTP Message Scheduled to Retry Categorization |
|
1033 |
SMTP Message Categorized and Queued for Routing |
|
1034 |
SMTP Message Routed and Queued for Remote Delivery |
|
1035 |
SMTP Message Scheduled to Retry Routing |
|
1036 |
SMTP Message Queued for Local Delivery |
|
1037 |
SMTP Message Scheduled to Retry Local Delivery |
|
1038 |
SMTP Message Routed and Queued for Gateway Delivery |
|
1039 |
SMTP Message deleted by Intelligent Message Filtering |
|
1040 |
SMTP Message rejected by Intelligent Message Filtering |
|
1041 |
SMTP Message archived by Intelligent Message Filtering |
|
1042 |
Message redirected to the alternate recipient |
|
1043 |
Invalid Event Type |
如何分析邮件跟踪日志
对跟踪日志的格式了解之后,分析日志中的数据也就不再是一件难事了。我们可以逐行读入日志记录,对相关数据进行统计。由于篇幅所限,本文只讨论其中的一种统计场景 -- 如何统计邮件发送人及其所发送邮件的数目,并给出相关的示范代码(VBScript编写)以供大家参考。
一封邮件可以经历多个事件,直到它被成功发送。导致的结果是,一封邮件可以对应于与日志中的数条记录。如何有效地区分这些记录,避免重复统计,是我们最先应该考虑的问题。前面我们提到过,MSGID是贯穿邮件生命周期的标识,我们可以利用它来区分不同的邮件。因此,我们基本上的思路是:建立一个集合对象,把MSGID存入其中。当读入一条新记录时,我们会查找该集合对象。如果MSGID已经存在,说明该邮件已经被统计过,我们可以忽略。否则的话,我们将把这个MSGID插入到集合中,并进行统计。
网友评论