Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Rare occurances of incorrect fields filled in SMTP log record #254
This is quite rare occurrence and I am not exactly sure how to replicate it either.
I have noticed that there are rare times when two different emails are combined into one single SMTP record. I base this on the fact that I verified that emails were different using timemachine captures.
the incorrect SMTP log records sender of one email populated with recipients of one (or both) emails - then subject of one of the emails (generally the first one).
My hypothesis is that there might be packet drops resulting in zeek not understanding that these are two different emails on same TCP stream - but I speculate.
I will try to figure out a way to reproduce this and/or see if I can help further with zero'ing on the specifics of the issue. (Sorry this is a bit generic )
Message me offline and I can send you exact log entries if desired.