[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unknown User message in sendmail maillog.



On Thu, Jan 30, 2003 at 05:35:27PM -0600, Aaron Cronkright wrote:
> My problem is that I can't seem to find the log entry that gives me
> the ip addr and/or hostname of the computer doing this. Anyone have a
> finger to point me in the proper direction so I can block this bozo at
> the firewall?

Try the following (admittedly inefficient) script against
/var/log/maillog*:

#!/usr/bin/perl

@foo=<>;

for my $bar (@foo) {
    if ($bar =~ /sendmail\[\d+\]:\s+(\w+):\s+.*\<([^\>]+)\>.*User unknown$/) {
        my $id=$1;
        my $to=$2;
        for my $baz (grep { /:\s+$id:/ } @foo) {
            if ($baz =~
                /:\s+$id:\s+from=\<([^\>]+)\>.*relay=[^\[]*\[([\d\.]+)\]$/) {
                print "from=<$1> to=<$to> relay=<$2>\n";
                last;
            }
        }
    }
}

Hmm...  Looks like I'll need to make an optimization pass before I can
effectively use that myself.  It's taking a *really* long time to run
on the mail server here.  :-)

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.