[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unknown User message in sendmail maillog.




Hey Steve.

I know that you know Perl a heck of a lot better than I do.  

However, I do have a possibly stupid question.  Won't this approach read the entire log file into memory before using it? In fact if you did it against /var/log/maillog* wouldn't it read the contents of every mailog file into memory all at once, and then proceed to start going through them line by line?  Wouldn't it be more efficient to do something like 

while (<>)  
{
...
}

instead of 

@foo=<>;

for my $bar (@foo) 
{
  ...
}

There is a comment on page 18 of the Camel book that sort of subtly mentions this in a not very clear sort of a way.


-----Original Message-----
From: Steven Pritchard [mailto:steve@silug.org]
Sent: Friday, January 31, 2003 9:36 AM
To: silug-discuss@silug.org
Cc: luci-discuss@luci.org
Subject: Re: Unknown User message in sendmail maillog.


On Thu, Jan 30, 2003 at 05:35:27PM -0600, Aaron Cronkright wrote:
> My problem is that I can't seem to find the log entry that gives me
> the ip addr and/or hostname of the computer doing this. Anyone have a
> finger to point me in the proper direction so I can block this bozo at
> the firewall?

Try the following (admittedly inefficient) script against
/var/log/maillog*:

#!/usr/bin/perl

@foo=<>;

for my $bar (@foo) {
    if ($bar =~ /sendmail\[\d+\]:\s+(\w+):\s+.*\<([^\>]+)\>.*User unknown$/) {
        my $id=$1;
        my $to=$2;
        for my $baz (grep { /:\s+$id:/ } @foo) {
            if ($baz =~
                /:\s+$id:\s+from=\<([^\>]+)\>.*relay=[^\[]*\[([\d\.]+)\]$/) {
                print "from=<$1> to=<$to> relay=<$2>\n";
                last;
            }
        }
    }
}

Hmm...  Looks like I'll need to make an optimization pass before I can
effectively use that myself.  It's taking a *really* long time to run
on the mail server here.  :-)

Steve
-- 
steve@silug.org           | Southern Illinois Linux Users Group
(618)398-7360             | See web site for meeting details.
Steven Pritchard          | http://www.silug.org/

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.