There are some warnings in the SMTP analyzer (ultimately from using the MIME analyzer) that go to reporter but they are wildly unhelpful in reporter.log. Here's an example line from reporter.log:
Doing protocol violations on the smtp analyzer wouldn't quite be the right thing either because the dpd framework might remove the smtp analyzer from the connection. Part of the problem may stem from the fact that MIME analyzer isn't a true analyzer (doesn't descend from Analyzer). There is some obvious analyzer restructuring that needs to happen here but that can wait for the larger analyzer work that is coming up.
Does anyone have thoughts about what we could do with this message now to make it more useful?