Hi,

I do a fair amount of post-daily analysis of the SM log files looking for spammer activity and behavior.  One of the things that I continue to have to account for is the fact that the SMTP log file has both authenticated and non-authenticated SMTP activity mixed together.  In my view these are two completely different audiences whose behavior should be tracked differently and have different log files.

Example: non-authenticated traffic from a given IP address should have a static EHLO argument from one connection to the next.  I've seen instances of a single IP address showing a different EHLO argument every time they drop off mail in a single day.  None were legitimate.

That same behavior is not uncommon with authenticated traffic.  FWIW, this would only work if authenticated users don't (or can't) authenticate on port 25, which is a separate feature that would be very handy.  I don't want users to use port 25 to authenticate.  As it is now, I can't even tell which port they came in on: 25 or 587.

Does anyone else see this as a useful feature enhancement?

Thanks!

--Ben