DEV Community

Cahit Bodur
Cahit Bodur

Posted on

How to Analyze SMTP Logs and Extract Email Traffic (PHP Script)

#backend #devops #php #tutorial

Working with mail servers? Then you already know one thing:

πŸ‘‰ SMTP logs are messy.

When a client asks:

β€œCan you send me only my email logs?”

You’re stuck with a huge log file containing thousands of mixed records.

In this post, I’ll show you a simple but powerful way to extract a specific email’s traffic from SMTP logs using PHP.

🚨 The Problem

SMTP logs are not structured per email.

Instead, they look like this:

SMTP-IN 63EBA13D... 20.57..79 EHLO
SMTP-IN 63EBA13D... 20.57..79 MAIL FROM
SMTP-IN 63EBA13D... 20.57..79 RCPT TO:user@example.com
SMTP-IN 63EBA13D... 20.57..79 DATA

πŸ‘‰ Different emails are mixed together
πŸ‘‰ Same IP continues the flow
πŸ‘‰ Logs are split across multiple lines

So filtering by email alone is not enough.

πŸ’‘ The Solution

Here’s the trick:

Find the line containing the target email
Extract the IP address from that line
Collect nearby lines with the same IP

This reconstructs the full SMTP flow.

βš™οΈ PHP Script

<?php

$logFile = __DIR__ . "/log/SMTP-Activity.log";
$outputFile = __DIR__ . "/log/output.log";

$targetMail = "user@example.com";
$range = 100;
$excludeIp = "185.86.*.14";

$lines = file($logFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$total = count($lines);

$out = fopen($outputFile, "w");

for ($i = 0; $i < $total; $i++) {

    if (stripos($lines[$i], $targetMail) !== false) {

        $parts = preg_split('/\t+/', $lines[$i]);
        $ip = trim($parts[4] ?? '');

        if (!$ip || $ip === $excludeIp) continue;

        $start = max(0, $i - $range);
        $end   = min($total - 1, $i + $range);

        fwrite($out, $lines[$i] . "\n");

        for ($j = $start; $j <= $end; $j++) {

            $p = preg_split('/\t+/', $lines[$j]);
            $currentIp = trim($p[4] ?? '');

            if ($currentIp === $excludeIp) continue;

            if ($currentIp === $ip) {
                fwrite($out, $lines[$j] . "\n");
            }
        }

        fwrite($out, "\n\n");
    }
}

fclose($out);

echo "Done!";
?>
Enter fullscreen mode Exit fullscreen mode

πŸ“Œ What You Get
Full SMTP flow for a specific email
Clean, client-ready log output
Faster debugging & analysis
🎯 Use Cases
Extract logs for a specific client
Debug email delivery issues
Detect brute-force login attempts
Analyze spam behavior
πŸ”— Full Tutorial (Detailed Explanation)

If you want a step-by-step explanation with real examples:

πŸ‘‰ https://sizinsayfaniz.com/blog2/Kurumsal-Mail-Sunuculari-Icin-Php-Log-Analizi.html

πŸ’» GitHub Repository

πŸ‘‰ https://github.com/cahit2834/smtp-log-analiz-php

⚑ Final Thoughts

SMTP logs look chaotic, but with the right approach, you can extract meaningful insights easily.

If you're managing a mail server, this method will save you hours.

⭐ If this helped you, consider starring the repo!

Top comments (0)