HOME | | SITE MAP | | SEARCH
Home :: Reporting :: Infos :: Mailsweeper Tables
Mailsweeper
MIMEsweeper for SMTP v5
MIMEsweeper for Web
Tools
ASTPS
JMC`s Toolsection
SSS tools
Reporting
 
Infos
Downloads
Drawings
RFC`s
FAQ`s
Test threats
Scripts
Links
Contact
   
 
 
   
Generic Tables

Generic Tables

A brief description of each table follows.

 

goaAuditHistory

This tracks the changes in the audit configuration. Using this table it is possible to determine if somebody has disabled processing of a specific feature to prevent detection.

 

AtTime Date/Time The date and time of this event. (GMT)

ProductID Integer The ID of this product. (goaProductIdMap)

MachineID Integer The ID of the machine on which this product is running. (goaMachineIdMap)

Service String The name of the service which started or stopped.

Event Integer Either start (1) or stop (2).

TablesEnabled Integer A bitwise mask of which tables are enabled

.

GoaCategoryMap

This table maps category id to Category Name. E.g. 1 -> ‘Scenarios’.

Field Name Type Description

MapId Integer (unique) The id of the item which was processed.

Type Integer Always 0x10008. (6544410)

MappedValue String (unique) The name of a Scenario. E.g. ‘Scenario/Incoming’

 

goaClassifications

This table maps the one to many relationship between data item and classification.

Field Name Type Description

MapId Integer (not unique) The id of the item which the classification was processed.

Mapped Value Integer (not unique) The id of the classification that was processed. (goaClassificationMap)

 

goaClassificationMap

This table maps classifications id to classification name.

Field Name Type Description

MapId Integer (unique) The MappedValue of the classification that was processed. (goaClassifications)

Type Integer Always 3. Meaning Classification.

MappedValue String (unique) The name of the followed Classification. E.g. “Clean”

 

goaCustomEvents

This table holds information about custom events. This table is provided for future custom plug-ins. Only events which are in the custom facility are placed in here. Unrecognized events are placed in the goaUnhandledEvents table.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

AtTime Date/Time The time at which the command was executed.

Event Integer Representing the audit event.

Arg1 String Specific to the event.

Arg2 String Specific to the event.

Arg3 String Specific to the event.

Arg4 String Specific to the event.

 

goaEngineDetail

This table contains generic engine processing information.

Field Name Type Description

ID Integer (unique) The id of the item which was processed.

ProductID Integer (not unique) The ID of the product that processed the data item. (goaProductIdMap)

MachineID Integer (not unique) The ID of the machine that processed the data item. (goaMachineIdMap)

StartTime Date/Time The time at which processing started.

ProcessDuration Integer (not unique) The length of time the item took to process. (Milliseconds)

 

goaEventDetail

This table contains information about threats that have been detected.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

ItemName String The name of the item which was modified or detected.

ItemSize (future) Integer The size of the item which was modified or detected.

ScenarioTrigger Integer The id of the scenario, which modified or detected. (goaEventMap)

Action Integer The id of either modified or detected. (goaEventMap)

Description Integer The id of the name of the virus which was detected (if possible). (goaEventMap)

 

goaEventMap

This table contains the names associated with event detail records.

Field Name Type Description

MapId Integer (unique) The id of the mapped value.

Type Integer The type of string. 4 = Trigger, 5 = Action, Description. MappedValue

String (unique) The value.

 

goaFormatTypeMap

This table contains the names associated with format detail records.

Field Name Type Description

MapId Integer (unique) The id of the mapped value.

Type Integer The type of string. 7 = Manager, 8 = Type, 9 = Subtype.

MappedValue String (unique) The value.

 

goaFormatDetail

This table contains information about formats that have been recognized.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

ItemName String The name of the item that was recognized.

ItemSize (future) Integer The size (in bytes) of the item that was recognized.

FormatManager Integer The id of the name of the FM which recognized it. (goaFormatTypeMap)

FormatType Integer The id of the type of format. (goaFormatTypeMap)

FormatSubtype Integer The id of the specific type of format. (goaFormatTypeMap)

 

goaMachineIDMap

It is conceivable that more than one computer will audit to the same database. For this purpose a way of identifying a specific machine is required. This table acts a simple map machine to ID.

Field Name Type Description

MapId Integer (unique) The id of the item which was processed.

Type Integer Always 2.

MappedValue String (unique) The name of a machine. E.g. (mymachine.mimesweeper.com)

goaUnhandledEvents

This table holds information about unhandled events. This table is provided as a

‘catch-all’ for unrecognized audit events.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

AtTime Date/Time The time at which the command was executed.

Event Integer Representing the audit event.

Arg1 String Specific to the event.

Arg2 String Specific to the event.

Arg3 String Specific to the event.

Arg4 String Specific to the event.

 

Mail Specific Tables

 

moaAddressMap

Field Name Type Description

MapId Integer (unique) The id of the address. Either moaMessage.Sender or moaRecipients.MappedValue.

Type Integer Type of address. Values same as product id. (goaProductIdMap)

MappedValue String (unique) An e-mail address. Forced to lower case.

 

moaDeliveryDetail

This table holds the delivery details of all successfully delivered messages.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

MachineId Integer Id of the machine which delivered the message. (goaMachineIdMap)

AtTime Date/Time Date and time at which the mail was delivered.

Domain Integer Id of the domain to which the mail was delivered. (goaMachineIdMap)

ByHost Integer If of the host to which the mail was sent. (goaMachineIdMap)

 

moaMessage

This table holds one per message items.

Field Name Type Description

ID Integer (unique) The id of the item which was processed.

Sender Integer The id of the sender’s e-mail address. (moaAddressMap)

Subject String The subject of this message.

MsgSize Integer The size of this message in bytes.

Category Integer The id of the category which this message matched. (goaCategoryMap)

 

moaMsgAreaMap

Field Name Type Description

MapId Integer (unique) From moaMessageAreaHistory.

Type Integer User = 0x10003, Area = 0x10004.

MappedValue String (unique) The string value.

 

moaMsgIDMap

The table maps message ids to internal unique identifiers.

Field Name Type Description

ID Integer (unique) The integer id of the message id.

Type Integer The id of the original message if the message was split.

MappedValue String (unique) The message ID.

 

moaMessageAreaHistory

This table holds information about operation on a message area.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

AtTime Date/Time The time at which the command was executed.

Command Integer Representing the command. I.e. GMS_MSG_QUARANTINED.

UserName Integer The id of the user who performed the command. (moaMsgAreaMap)

Area Integer The id of the area in which the message is present. (moaMsgAreaMap)

StringArg String Command specific. Either e-mail address for forward, or path for save

.

 

moaNonDeliveryEvent

This table holds the non-delivery details of all non-successful delivery attempts.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

Event Integer EventID. E.g. GMS_MSG_DEAD, GMS_MSG_ ABANDONED

Domain Integer The id of the destination domain of the message. (goaMachineIdMap)

StringArg String Passed from IMS. (Reason for the failure)

 

moaReceiptDetail

This table records which machine the messages were received from.

Field Name Type Description

ID Integer (not unique) The id of the item which was processed.

MachineID Integer (not unique) The ID of the machine who received the message.

SourceHost Integer The id of the IP address of the machine from which the message was received. (goaMachineIdMap)

ReceiptTime Date/Time The time at which the message was received.

 

moaRecipients

This table holds the map of one to many for the recipients of all the audited

messages.

Field Name Type Description

MapId Integer (not unique) The integer id of the message id.

MappedValue Integer The id of the recipient’s email address. (moaAddressMap)

 

Sample SQL Report:

 

SELECT TOP 100 PERCENT moaAddressMap.MappedValue, COUNT(moaMessage.ID) AS [Anzahl Nachrichten], AVG(moaMessage.MsgSize)

AS Durchschnittsgroesse, MAX(moaMessage.MsgSize) AS [Groesste Nachricht], MIN(moaMessage.MsgSize) AS [Kleinste Nachricht], SUM(goaEngineDetail.ProcessDuration) AS Verarbeitungszeit

FROM moaMessage INNER JOIN moaAddressMap ON moaMessage.Sender = moaAddressMap.MapID INNER JOIN goaEngineDetail ON moaMessage.ID = goaEngineDetail.ID INNER JOIN moaReceiptDetail ON moaMessage.ID = moaReceiptDetail.ID

GROUP BY moaAddressMap.MappedValue

ORDER BY AVG(moaMessage.MsgSize) DESC
 
Site News
   
 
To Top