How to Analyze SMTP Logs and Extract Email Traffic (PHP Script)

# backend# devops# php# tutorial
How to Analyze SMTP Logs and Extract Email Traffic (PHP Script)Cahit Bodur

Working with mail servers? Then you already know one thing: ๐Ÿ‘‰ SMTP logs are messy. When a client...

Working with mail servers? Then you already know one thing:

๐Ÿ‘‰ SMTP logs are messy.

When a client asks:

โ€œCan you send me only my email logs?โ€

Youโ€™re stuck with a huge log file containing thousands of mixed records.

In this post, Iโ€™ll show you a simple but powerful way to extract a specific emailโ€™s traffic from SMTP logs using PHP.

๐Ÿšจ The Problem

SMTP logs are not structured per email.

Instead, they look like this:

SMTP-IN 63EBA13D... 20.57..79 EHLO
SMTP-IN 63EBA13D... 20.57..79 MAIL FROM
SMTP-IN 63EBA13D... 20.57..79 RCPT TO:user@example.com
SMTP-IN 63EBA13D... 20.57..79 DATA

๐Ÿ‘‰ Different emails are mixed together
๐Ÿ‘‰ Same IP continues the flow
๐Ÿ‘‰ Logs are split across multiple lines

So filtering by email alone is not enough.

๐Ÿ’ก The Solution

Hereโ€™s the trick:

Find the line containing the target email
Extract the IP address from that line
Collect nearby lines with the same IP

This reconstructs the full SMTP flow.

โš™๏ธ PHP Script

<?php

$logFile = __DIR__ . "/log/SMTP-Activity.log";
$outputFile = __DIR__ . "/log/output.log";

$targetMail = "user@example.com";
$range = 100;
$excludeIp = "185.86.*.14";

$lines = file($logFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
$total = count($lines);

$out = fopen($outputFile, "w");

for ($i = 0; $i < $total; $i++) {

    if (stripos($lines[$i], $targetMail) !== false) {

        $parts = preg_split('/\t+/', $lines[$i]);
        $ip = trim($parts[4] ?? '');

        if (!$ip || $ip === $excludeIp) continue;

        $start = max(0, $i - $range);
        $end   = min($total - 1, $i + $range);

        fwrite($out, $lines[$i] . "\n");

        for ($j = $start; $j <= $end; $j++) {

            $p = preg_split('/\t+/', $lines[$j]);
            $currentIp = trim($p[4] ?? '');

            if ($currentIp === $excludeIp) continue;

            if ($currentIp === $ip) {
                fwrite($out, $lines[$j] . "\n");
            }
        }

        fwrite($out, "\n\n");
    }
}

fclose($out);

echo "Done!";
?>
Enter fullscreen mode Exit fullscreen mode

๐Ÿ“Œ What You Get
Full SMTP flow for a specific email
Clean, client-ready log output
Faster debugging & analysis
๐ŸŽฏ Use Cases
Extract logs for a specific client
Debug email delivery issues
Detect brute-force login attempts
Analyze spam behavior
๐Ÿ”— Full Tutorial (Detailed Explanation)

If you want a step-by-step explanation with real examples:

๐Ÿ‘‰ https://sizinsayfaniz.com/blog2/Kurumsal-Mail-Sunuculari-Icin-Php-Log-Analizi.html

๐Ÿ’ป GitHub Repository

๐Ÿ‘‰ https://github.com/cahit2834/smtp-log-analiz-php

โšก Final Thoughts

SMTP logs look chaotic, but with the right approach, you can extract meaningful insights easily.

If you're managing a mail server, this method will save you hours.

โญ If this helped you, consider starring the repo!