[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unknown User message in sendmail maillog.



In this version of his quick hack, he does actually call back to the array
if you will notice.  The code first searches for the User unknown line, then
captures the id of the call to sendmail, then greps the file (actually where
the call back to the array occurs) for other lines with the same id.  I
think the second version of his quick hack threw only relevent lines into a
hash, but I'm speaking from memory and not actually looking at it.

Tim Hart
----- Original Message -----
From: "Flood Randy Capt AFCA/TCAA" <Randy.Flood@scott.af.mil>
To: <silug-discuss@silug.org>
Sent: Wednesday, February 05, 2003 11:43 AM
Subject: Re: Unknown User message in sendmail maillog.


>
>
> Right.  But in this case, all you are doing is printing the stuff from the
current line and then ignoring it from all eternity afterwards.  Since there
is no need to access the stuff again, it is much more efficient to just do
it one line at a time and throw away the rest.  Right?
>
>
>
> -----Original Message-----
> From: fiaid@quasi-sane.com [mailto:fiaid@quasi-sane.com]
> Sent: Wednesday, February 05, 2003 11:11 AM
> To: silug-discuss@silug.org
> Subject: Re: Unknown User message in sendmail maillog.
>
>
> Remember, there are no stupid questions, only stupid people.  I love
> Southpark.
>
> I think that the reasoning behind this is to give it a true variable name
> and space instead of using $_ as you would need to do with the "while
> (<>)"  Also, by array loading this, you are able to call back into the
> array instead of losing it once it is gone by, you can do a $foo[16]
> whereas you can't do a $_[16].  If you can though, tell me, I have a
> shitton of scripts that I can rewrite.
>
> Tighe
>
> > However, I do have a possibly stupid question.  Won't this approach read
> > the entire log file into memory before using it? In fact if you did it
> > against /var/log/maillog* wouldn't it read the contents of every mailog
> > file into memory all at once, and then proceed to start going through
> > them line by line?  Wouldn't it be more efficient to do something like
> >
> > while (<>)
> > {
> > ...
> > }
> >
> > instead of
> >
> > @foo=<>;
> >
> > for my $bar (@foo)
> > {
> >   ...
> > }
> >
> > There is a comment on page 18 of the Camel book that sort of subtly
mentions this in a not very clear sort of a way.
> >
> >
> > -----Original Message-----
> > From: Steven Pritchard [mailto:steve@silug.org]
> > Sent: Friday, January 31, 2003 9:36 AM
> > To: silug-discuss@silug.org
> > Cc: luci-discuss@luci.org
> > Subject: Re: Unknown User message in sendmail maillog.
> >
> >
> > On Thu, Jan 30, 2003 at 05:35:27PM -0600, Aaron Cronkright wrote:
> > > My problem is that I can't seem to find the log entry that gives me
> > > the ip addr and/or hostname of the computer doing this. Anyone have a
> > > finger to point me in the proper direction so I can block this bozo at
> > > the firewall?
> >
> > Try the following (admittedly inefficient) script against
> > /var/log/maillog*:
> >
> > #!/usr/bin/perl
> >
> > @foo=<>;
> >
> > for my $bar (@foo) {
> >     if ($bar =~ /sendmail\[\d+\]:\s+(\w+):\s+.*\<([^\>]+)\>.*User
unknown$/) {
> >         my $id=$1;
> >         my $to=$2;
> >         for my $baz (grep { /:\s+$id:/ } @foo) {
> >             if ($baz =~
> >
/:\s+$id:\s+from=\<([^\>]+)\>.*relay=[^\[]*\[([\d\.]+)\]$/) {
> >                 print "from=<$1> to=<$to> relay=<$2>\n";
> >                 last;
> >             }
> >         }
> >     }
> > }
> >
> > Hmm...  Looks like I'll need to make an optimization pass before I can
> > effectively use that myself.  It's taking a *really* long time to run
> > on the mail server here.  :-)
> >
> > Steve
> >
>
> --
> Tighe Schlottog         workape         fiaid
> "Nothing is too cruel if it is funny enough."
>
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>
> -
> To unsubscribe, send email to majordomo@silug.org with
> "unsubscribe silug-discuss" in the body.
>



-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.