> A "normal" ESMTP session with vrfy:
>
> ehlo=1/1 vrfy=1/1 quit=1/1
>
> An "abnormal" session that drops after 10 rejected AUTH commands:
>
> ehlo=1/1 auth=0/10
>
> The logging shows only counters for commands that were actually
> issued. To save space we could replace "n/n" (two identical numbers)
> with just "n". I don't know if this would actually simplify parsing.
On second consideration, the main benefit is that anomalies become
easier to recognize.
This is best demonstrated with a few examples:
- "normal" ESMTP session with vrfy:
ehlo=1 vrfy=1 quit=1
- "abnormal" session that drops after 10 rejected AUTH commands:
ehlo=1 auth=0/10
Note that the "/" appears only when there is an anomaly. Here, the
number of "good" auth commands (0) differs from the total number
of auth commands (10).
In a logfile analyzer, anomalies would match 'disconnect.*=\d+/\d+'
(perl or pcre syntax). I think that we have a winner.
Wietse
