Mail Server Log of Sample SMTP session

Click here for Uncommented version of the log
Click here for session from the spammers point of view

What the sender (e.g. the spammer) sends to the mail server is in Bold Red font.
What the mail server sends out to the sender is in Underlined Blue font.
Comments are in Green Italics font. Each comment refers to the line(s) immediately beneath the comment.

First, somebody is calling us, see who it is and open a line:
02:35:56 5 SMTP-750() Stream Created 
02:35:56 5 SMTP(750) Resolver Created
02:35:56 4 SMTP Line 750 created for answering
It is someone at the address "36.37.0.13":
02:35:56 4 SMTP-750() Got connection from [36.37.0.13:39891]
We have a connection:
02:35:56 4 SMTP(tcp) Connection accepted from [36.37.0.13:39891], seq=554, 9/10 

1. We understand ESMTP (Extended Simple Mail Transport Protocol (SMTP is what is used to transmit email on the internet);
2. 'You're welcome' to an implied 'Thank you for talking to me even though I am a stranger'
3. "No unsolic" is the beginning of "No unsolicited email ads or violating Calf Bus Sect 17538" which is sent out, but not recorded fully in the log due to limitations in this version of the server. The next version of the server (V.1.8b5) will record the whole message that is sent out

02:35:56 4 SMTP-750([36.37.0.13]) Sending 220-Stalker Internet Mail Server V.1.8b3 is ready.\r\n(1)220 ESMTP is spoken here. (2)You are welcome (3)No unsolic
02:35:56 5 SMTP-750([36.37.0.13]) OT 153 of 153 bytes sent, Flags=0
02:35:56 5 SMTP-750([36.37.0.13]) *Status=22
02:36:51 5 SMTP-750([36.37.0.13]) Received 26 bytes
Next, they tell us their name:
02:36:51 4 SMTP-750([36.37.0.13]) Input Line: HELO Made-Up-Name-desk98\r
02:36:51 5 SMTP-750([36.37.0.13]) *Status=21
We look up the name they gave us, which should be a hostname (e.g., mail.gotnet.net):
02:36:51 4 SMTP-750(Made-Up-Name-desk98) Looking for Made-Up-Name-desk98
We can't find their name, so all we really know for sure is that their IP address is 36.37.0.13:
02:36:52 3 SMTP-750(Made-Up-Name-desk98) Failed to verify. Real address is [36.37.0.13:39891]
Their name is probably fake, but we're polite so we say it nicely... 
02:36:52 4 SMTP-750(Made-Up-Name-desk98) Sending 250 209.31.44.214 cannot verify Made-Up-Name-desk98\r\n
02:36:52 5 SMTP-750(Made-Up-Name-desk98) OT 53 of 53 bytes sent, Flags=0
02:36:52 5 SMTP-750([36.37.0.13]) *Status=22
02:37:45 5 SMTP-750([36.37.0.13]) Received 50 bytes

Next, we talk about the particular email message they want to give us.
First, they give the MAIL FROM command and tell us who the email is from:

02:37:45 4 SMTP-750([36.37.0.13]) Input Line: MAIL FROM:<Made-Up-Name-emailplus@321media.com> \r
02:37:45 5 SMTP-750([36.37.0.13]) *Status=25
02:37:45 5 SMTP-750([36.37.0.13]) *Status=26
02:37:45 4 SMTP-750([36.37.0.13]) Sending 250 <Made-Up-Name-emailplus@321media.com>  sender accepted\r\n
02:37:45 5 SMTP-750([36.37.0.13]) OT 60 of 60 bytes sent, Flags=0
02:37:45 5 SMTP-750([36.37.0.13]) *Status=23
02:37:56 5 SMTP-750([36.37.0.13]) Received 36 bytes
Next, they say who is the email's recipient (or recipients):
02:37:56 4 SMTP-750([36.37.0.13]) Input Line: RCPT TO: <recipes@hypertouch.com> \r
02:37:56 5 SMTP-750([36.37.0.13]) *Status=33
02:37:56 4 SMTP-750([36.37.0.13]) Sending 250 <recipes@hypertouch.com>  recipient accepted\r\n
02:37:56 5 SMTP-750([36.37.0.13]) OT 50 of 50 bytes sent, Flags=0
02:37:56 5 SMTP-750([36.37.0.13]) *Status=23
02:38:07 5 SMTP-750([36.37.0.13]) Received 6 bytes
Then they start sending the message (i.e. the headers and the body):
02:38:07 4 SMTP-750([36.37.0.13]) Input Line: DATA\r
02:38:07 4 SMTP-750([36.37.0.13]) Sending 354 Enter mail, end with "." on a line by itself\r\n
02:38:07 5 SMTP-750([36.37.0.13]) OT 50 of 50 bytes sent, Flags=0
02:38:07 5 SMTP-750([36.37.0.13]) *Status=27
Note: the actual content of the email isn't recorded in the log
02:38:24 5 SMTP-750([36.37.0.13]) Received 53 bytes
02:38:24 5 SMTP-750([36.37.0.13]) Received 914 bytes
02:38:26 5 SMTP-750([36.37.0.13]) Received 35 bytes
02:38:28 5 SMTP-750([36.37.0.13]) Received 3 bytes
02:38:28 5 SMTP-750([36.37.0.13]) Writing 1285 byte at 0
02:38:28 5 SMTP-750([36.37.0.13]) *Status=28
02:38:28 2 SMTP-750([36.37.0.13]) {S.0000014938} received, 1285 bytes
They finish sending:
02:38:28 4 SMTP-750([36.37.0.13]) Sending 250 S.0000014938 message accepted for delivery\r\n
02:38:28 5 SMTP-750([36.37.0.13]) OT 48 of 48 bytes sent, Flags=0
02:38:28 5 SMTP-750([36.37.0.13]) *Status=22
Queue the email message up for delivery:
02:38:28 2 SYSTEM [S.0000014938] <419.436278.39703056-Made-Up-Number-emailplus@321media.com>  0+1 From:Made-Up-Name-emailplus@321media.com
Deliver the mail to the appropriate person, in this case joepublic@hypertouch.com:
02:38:28 2 SYSTEM(POP) [S.0000014938] delivered to (joepublic)
Delete the email message from the queue:
02:38:28 2 SYSTEM [S.0000014938] deleted
02:38:38 5 SMTP-750([36.37.0.13]) Received 6 bytes
The sender says they are done and want to quit:
02:38:38 4 SMTP-750([36.37.0.13]) Input Line: quit\r
02:38:38 5 SMTP-750([36.37.0.13]) *Status=29
Tell the sender we are closing the connection
02:38:38 4 SMTP-750([36.37.0.13]) Sending 221 209.31.44.214 closing connection\r\n
02:38:38 5 SMTP-750([36.37.0.13]) OT 38 of 38 bytes sent, Flags=0
02:38:38 5 SMTP-750([36.37.0.13]) *Status=1
Finally, close and/or shut down everything we opened for the SMTP session
02:38:38 4 SMTP-750([36.37.0.13]) Closing
02:38:38 5 SMTP-750([36.37.0.13]) Disconnect Received
02:38:38 5 SMTP-750([36.37.0.13]) Disconnect Confirmed 
02:38:38 4 SMTP-750([36.37.0.13]) Input Stream ended
02:38:38 5 SMTP-750([36.37.0.13]) *Status=2
02:38:38 4 SMTP disposing line 750
02:38:38 5 SMTP(750) Resolver Disposed
02:38:38 5 SMTP-750([36.37.0.13]) Stream Disposed

---

Spam message