Home / server / Questions / 673542
Accepted
Wayne Conrad
Asked: 2015-03-07 09:01:23 +0800 CST

Scraping log to identify emails sent to another MTA

  • 772

I have a Courier MTA that seems to be sending spam. I want to scrape courier's mail.log to identify, for each mail that was sent to another MTA:

  • The from address
  • Where Courier got the email from

Here are Courier's mail.log entries for a (non-spam) email that originated internally on a box running sendmail. Sendmail relayed the email to Courier MTA, which then sent it to one of gmail's MTAs.

Mar  4 08:49:01 triplite courierfilter: zdkimfilter[24066]:id=00000000003E06E2.0000000054F7296D.00005E01: signing for production with domain some.where, selector somewhere-dkim
Mar  4 08:49:01 triplite courierfilter: zdkimfilter[24066]:id=00000000003E06E2.0000000054F7296D.00005E01: response: 250 Ok.
Mar  4 08:49:01 triplite courierd: newmsg,id=00000000003E06E2.0000000054F7296D.00005E01, auth=production: dns; alum.internal.some.where ([::ffff:10.1.0.52])
Mar  4 08:49:01 triplite courierd: started,id=00000000003E06E2.0000000054F7296D.00005E01,from=<[email protected]>,module=esmtp,host=gmail.com,addr=<[email protected]>
Mar  4 08:49:01 triplite courierd: Waiting.  shutdown time=none, wakeup time=Wed Mar  4 08:49:03 2015, queuedelivering=72, inprogress=1
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<[email protected]>,addr=<[email protected]>: 250 2.0.0 OK 1425484143 c10si5455351pds.183 - gsmtp
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<[email protected]>,addr=<[email protected]>,size=1251,success: delivered: gmail-smtp-in.l.google.com [74.125.28.27]
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<[email protected]>,addr=<[email protected]>,size=1251,status: success
Mar  4 08:49:03 triplite courierd: completed,id=00000000003E06E2.0000000054F7296D.00005E01

It seems that the "newmsg" line will tell me where an email came from. But I'm not sure which log entries to key on to see that a message was sent to another MTA. Would the "success: delivered" be the right one? Are there any other ways that sent emails show up in the log?

spam

1 Answers

  1. Best Answer

    Yes, "newmsg" tells the dns identification of the originating relay. It contains an "auth=" entry, in case submission was authenticated. "couriersmtp" (without final "d") is the SMTP client, which usually relays in turn. In theory, mail can also be relayed by UUCP, a rather unusual circumstance nowadays.

    You may want to check out Courier-analog, it is a simple Perl script that produces (html) activity summaries by analyzing the logs.

    • 2