Re: how can I tweak the logging?
Rob Tanner skrev den 2013-06-14 00:18: As requested. I suppose I could grab the queue ID and back track to the sender but when the logs get long (which they do, half a million or more lines) these scans can take a while and I'm trying to capture this info in real time (more or less): big logs can still be grepped, it works well for postfix-logwatch and pflogsumm if you tweek the logs its pointless to grep info from it later, if logs are big, rotate more, eg rotate hourly ? -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get reply, dont do it
how can I tweak the logging?
Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: how can I tweak the logging?
Can you cut part of you log file and send to the list? I am able to detect in a single line when I find NOQUEUE in log. Regards, Newton Pasqualini Filho newtonpasqual...@gmail.com Em 13/06/2013, às 18:34, Rob Tanner rtan...@linfield.edu escreveu: Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: how can I tweak the logging?
As requested. I suppose I could grab the queue ID and back track to the sender but when the logs get long (which they do, half a million or more lines) these scans can take a while and I'm trying to capture this info in real time (more or less): Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: from=rtan...@linfield.edumailto:rtan...@linfield.edu, size=3993, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 767641453B: skipped, still being delivered Jun 13 15:10:47 neskowin postfix/smtpd[23646]: disconnect from mail.wfo.linfield.eduhttp://mail.wfo.linfield.edu[10.170.131.75] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: connect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: 7F7AF77C96: client=localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/cleanup[23328]: 7F7AF77C96: message-id=71da23e7-a7fb-4409-962a-a4b31dbbc...@linfield.edumailto:a7fb-4409-962a-a4b31dbbc...@linfield.edu Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 7F7AF77C96: from=rtan...@linfield.edumailto:rtan...@linfield.edu, size=4190, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/smtp[23326]: 6D97E7778E: to=sillyputty...@gmail.commailto:sillyputty...@gmail.com, relay=localhost.linfield.eduhttp://localhost.linfield.edu[127.0.0.1], delay=0, status=sent (250 OK, sent 51BA4367_13111_1998_1 250 Ok: queued as 7F7AF77C96) Jun 13 15:10:47 neskowin postfix/smtpd[22320]: disconnect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: removed Jun 13 15:10:47 neskowin postfix/smtp[23198]: 7F7AF77C96: to=sillyputty...@gmail.commailto:sillyputty...@gmail.com, relay=gmail-smtp-in.l.google.comhttp://gmail-smtp-in.l.google.com[173.194.79.27], delay=0, status=bounced (host gmail-smtp-in.l.google.comhttp://gmail-smtp-in.l.google.com[173.194.79.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 ol10si12569562pbb.214 - gsmtp (in reply to RCPT TO command)) Thanks, Rob On Jun 13, 2013, at 2:44 PM, Newton Pasqualini Filho newtonpasqual...@gmail.commailto:newtonpasqual...@gmail.com wrote: Can you cut part of you log file and send to the list? I am able to detect in a single line when I find NOQUEUE in log. Regards, Newton Pasqualini Filho newtonpasqual...@gmail.commailto:newtonpasqual...@gmail.com Em 13/06/2013, às 18:34, Rob Tanner rtan...@linfield.edumailto:rtan...@linfield.edu escreveu: Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
Re: how can I tweak the logging?
Check if you can do a early logrotate, this will help you with this problem
when running scripts.
You can every hour rotate the log file and then run this script into the old
log.
Newton Pasqualini Filho
newtonpasqual...@gmail.com
Em 13/06/2013, às 19:28, Newton Pasqualini Filho newtonpasqual...@gmail.com
escreveu:
Wow,
So this error messages are not yours, this comes from the external side.
There is no way to catch this arg in same line as from.
You can do a script that can handle the log and store in memory to run in
realtime, or you can create a cronjob.
I can help you with the cronjob script to handle who are sending spam to
Gmail for example.
Setup a bash script with these two lines bellow:
#!/bin/bash
for mid in `cat /var/log/maillog | grep answer=6596 | awk '{print $6}'`; do
cat /var/log/maillog | grep $mid | grep from | awk '{print $7}' | awk -F
'{print $2}' | awk -F '{print $1}'; done
Regards
Newton Pasqualini Filho
newtonpasqual...@gmail.com
Em 13/06/2013, às 19:18, Rob Tanner rtan...@linfield.edu escreveu:
As requested. I suppose I could grab the queue ID and back track to the
sender but when the logs get long (which they do, half a million or more
lines) these scans can take a while and I'm trying to capture this info in
real time (more or less):
Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E:
from=rtan...@linfield.edu, size=3993, nrcpt=1 (queue active)
Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 767641453B: skipped, still
being delivered
Jun 13 15:10:47 neskowin postfix/smtpd[23646]: disconnect from
mail.wfo.linfield.edu[10.170.131.75]
Jun 13 15:10:47 neskowin postfix/smtpd[22320]: connect from
localhost.localdomain[127.0.0.1]
Jun 13 15:10:47 neskowin postfix/smtpd[22320]: 7F7AF77C96:
client=localhost.localdomain[127.0.0.1]
Jun 13 15:10:47 neskowin postfix/cleanup[23328]: 7F7AF77C96:
message-id=71da23e7-a7fb-4409-962a-a4b31dbbc...@linfield.edu
Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 7F7AF77C96:
from=rtan...@linfield.edu, size=4190, nrcpt=1 (queue active)
Jun 13 15:10:47 neskowin postfix/smtp[23326]: 6D97E7778E:
to=sillyputty...@gmail.com, relay=localhost.linfield.edu[127.0.0.1],
delay=0, status=sent (250 OK, sent 51BA4367_13111_1998_1 250 Ok: queued as
7F7AF77C96)
Jun 13 15:10:47 neskowin postfix/smtpd[22320]: disconnect from
localhost.localdomain[127.0.0.1]
Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: removed
Jun 13 15:10:47 neskowin postfix/smtp[23198]: 7F7AF77C96:
to=sillyputty...@gmail.com,
relay=gmail-smtp-in.l.google.com[173.194.79.27], delay=0, status=bounced
(host gmail-smtp-in.l.google.com[173.194.79.27] said: 550-5.1.1 The email
account that you tried to reach does not exist. Please try 550-5.1.1
double-checking the recipient's email address for typos or 550-5.1.1
unnecessary spaces. Learn more at 550 5.1.1
http://support.google.com/mail/bin/answer.py?answer=6596
ol10si12569562pbb.214 - gsmtp (in reply to RCPT TO command))
Thanks,
Rob
On Jun 13, 2013, at 2:44 PM, Newton Pasqualini Filho
newtonpasqual...@gmail.com
wrote:
Can you cut part of you log file and send to the list?
I am able to detect in a single line when I find NOQUEUE in log.
Regards,
Newton Pasqualini Filho
newtonpasqual...@gmail.com
Em 13/06/2013, às 18:34, Rob Tanner rtan...@linfield.edu escreveu:
Hi,
I'm trying to come up with mechanisms to catch compromised accounts
sending SPAM. Since spammers don't necessarily have all good addresses a
large number of their SPAM messages bounce with 550 errors (mailbox
unavailable or doesn't even exist). I would like to monitor men logs and
catch that pattern. The problem is that the log entry that includes the
550 error only shows where the message was intended to go and not where it
came from. That's found on another log entry line. Is there anyway to
tweak the logging mechanism so both bits of data appear on the same log
line?
Thanks.
Rob Tanner
UNIX Services Manager
Linfield College, McMinnville Oregon
ITS will never ask you for your password. Please don’t share yours with
anyone!
