Cisco Cisco Email Security Appliance X1050 Information Guide
What is UNIX mbox (mailbox) format?
Document ID: 117912
Contributed by Nasir Shakour and Enrico Werner, Cisco TAC
Engineers.
Engineers.
Jul 10, 2014
Contents
Question:
Question:
What is UNIX mbox (mailbox) format?
UNIX mbox format is used by AsyncOS when messages are archived (in anti−spam and anti−virus
configuration) and logged (in the message filter log() action).
configuration) and logged (in the message filter log() action).
Mbox format is an ASCII−formatted (i.e., not binary) file format that can contain zero or more mail messages.
Messages are concatenated in the mbox file and can be pried apart based on specific strings in the file. This
format is identical with the message as they are transferted between RFC 2821 complained mail gateways.
Messages are concatenated in the mbox file and can be pried apart based on specific strings in the file. This
format is identical with the message as they are transferted between RFC 2821 complained mail gateways.
Each message in mbox format begins with a line beginning with the string "From " (ASCII characters F, r, o,
m, and space). "From" lines are followed by several more fields: envelope−sender, date, and (optionally)
more−data.
m, and space). "From" lines are followed by several more fields: envelope−sender, date, and (optionally)
more−data.
The first field after the "From " string is the envelope−sender of the message. Depending on which application
is creating the mbox file, the envelope−sender may be present as a real mailbox, or it may be another
character or string. Most commonly, you will find "−" (single character dash) replacing the envelope−sender
if the actual envelope−sender is not available or not known. The date field inserted by the ESA is in standard
UNIX asctime() format and is always 24 characters in length. In some mbox files written by non−AsyncOS
implementations, further information will follow the date stamp. These three fields are separated by a single
space.
is creating the mbox file, the envelope−sender may be present as a real mailbox, or it may be another
character or string. Most commonly, you will find "−" (single character dash) replacing the envelope−sender
if the actual envelope−sender is not available or not known. The date field inserted by the ESA is in standard
UNIX asctime() format and is always 24 characters in length. In some mbox files written by non−AsyncOS
implementations, further information will follow the date stamp. These three fields are separated by a single
space.
Here is an example of an mbox file with a single message in it:
From Adam@Outside.COM Sun Oct 17 12:03:20 2004
Received: from mail.outside.com (192.35.195.200)
by smtp.alpha.com with ESMTP; 17 Oct 2004 12:03:20 −0700
X−IronPort−AV: i="3.85,147,1094454000";
v="EICAR−AV−Test'0'v";
d="scan'208"; a="86:adNrHT37924848"
X−IronPort−RCPT−TO: alan@mail.example.com
From: Adam@Outside.COM
To: Alan Alpha <Alan@mail.example.COM>
Subject: Exercise 7a Anti−Virus Scanning
Reply−To: Adam Alpha <adam@outside.com>
Date: Sun, 17 Oct 2004 12:02:39 −0700