Commentary on Point 1.
The 30 char limit on email address in the Syslog (I and O records) will truncate this : Symantec_Mail_Security_for_SMTP@workorder.se
Changing to variable-length records will also allow the addition of new fields more easily.
Commentary on Point 2 relating to mail stats.
In trying to determine bandwidth usage per user, I have been examining the "I" and "O" records from the Syslog.
2.1 Mail between Local users only generates an "I" record.
2.2 A Local / Non-Local identifier on each address would be most useful for reporting (as indicated in the Core display)
This to be able to split reporting between Local and Non-Local traffic.
2.3 Inbound mail indicates the TO address as the "mailbox" name and not the "alias" (email address)
Outbound mail shows the FROM address as the email address and not eh "mailbox" name.
Correlating the two is not possible by looking at the data only - a matching table is required.