What does a socket error mean in the GWAVA SMTP log?

  • 7019720
  • 30-Apr-2010
  • 07-Aug-2017

Environment

GWAVA 4/4.51 using an SMTP scanner

Situation

What is a socket error as seen in a GWAVA SMTP log?

Resolution


1) Socket
A socket, in basic terms, is the combination of an IP address and a port that will be used for bidirectional communication. An internet connection is established when two computers are connected via a socket (combination of IPs and ports that will be used to communicate between the two machines).
2) Socket errors
Any sort of socket error simply means that during the communication between the two computers something went wrong. The most common example is that the other computer or server disconnected prematurely. When this happens you will see one of the following errors in the SMTP log.

<ln><p>2q9u2t0</p><l>1</l><d>2010-APR-23</d><t>00:00:03</t><i>Socket read error: TCP recv fail</i></ln>
<ln><p>2oht6t0</p><l>1</l><d>2010-APR-23</d><t>00:00:07</t><i>Socket read error: TCP session closed</i></ln>
This could mean that we took too long to respond and the connection timed out or they simply didn't want to continue communicating. A very common example of the other side not wanting to continue communicating is after they have received a message saying that we are not going to receive the connection any further.
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>+++Scan thread Count is: 10 for 122.174.89.231</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>> process_xml <gwava><scan><prepare><nofile></nofile></prepare></scan></gwava></i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>< 200 Scanner ready</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>Sending SMTP IP address to GWAVA scanner</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>Sending IP address 122.174.89.231 to check reputation</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>Running IP Reputation check</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>< 200 eventtest complete</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>Querying GWAVA for blocking results</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>< 300 Query results ready to send</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>IP reputation Reference id: 0001.0A020301.4BD11B43.01B3</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:03</t><i>IP reputation result for 122.174.89.231: reject</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:03</t><i>=> 550 Message was blocked by server (IP reputation hit: 122.174.89.231)</i></ln>
<ln><p>2lnvmt0</p><l>1</l><d>2010-APR-23</d><t>00:00:04</t><i>Socket is closed</i></ln>
<ln><p>2lnvmt0</p><l>1</l><d>2010-APR-23</d><t>00:00:04</t><i>Socket read error: TCP recv fail</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:04</t><i>> PROCESS_XML <gwava><scan><runservice><service><identity>connection_drop</identity></service></runservice></scan></gwava></i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:04</t><i>> 200 Postprocessing complete</i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:04</t><i>> process_xml <gwava><scan><finish /></scan></gwava></i></ln>
<ln><p>2lnvmt0</p><l>4</l><d>2010-APR-23</d><t>00:00:04</t><i>< 200 Scanner process completed</i></ln>
<ln><p>2lnvmt0</p><l>2</l><d>2010-APR-23</d><t>00:00:04</t><i>Client disconnected from 122.174.89.231</i></ln>
<ln><p>2lnvmt0</p><l>3</l><d>2010-APR-23</d><t>00:00:04</t><i>---Exiting thread 10</i></ln>
In the previous log example the sending server was just told that we were not going to receive the message they were going to try and send due to them being on the IP reputation blacklist. Once a sending server realizes that they can't send their message they will either properly end the communication with the SMTP QUIT command or they will just close the socket. Spammers commonly don't follow the SMTP specifications and will just drop the connection as seen in the previous log example.

Additional Information

This article was originally published in the GWAVA knowledgebase as article ID 1696.