As requested. I suppose I could grab the queue ID and back track to the sender but when the logs get long (which they do, half a million or more lines) these scans can take a while and I'm trying to capture this info in real time (more or less):
Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: from=<rtan...@linfield.edu<mailto:rtan...@linfield.edu>>, size=3993, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 767641453B: skipped, still being delivered Jun 13 15:10:47 neskowin postfix/smtpd[23646]: disconnect from mail.wfo.linfield.edu<http://mail.wfo.linfield.edu>[10.170.131.75] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: connect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/smtpd[22320]: 7F7AF77C96: client=localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/cleanup[23328]: 7F7AF77C96: message-id=<71da23e7-a7fb-4409-962a-a4b31dbbc...@linfield.edu<mailto:a7fb-4409-962a-a4b31dbbc...@linfield.edu>> Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 7F7AF77C96: from=<rtan...@linfield.edu<mailto:rtan...@linfield.edu>>, size=4190, nrcpt=1 (queue active) Jun 13 15:10:47 neskowin postfix/smtp[23326]: 6D97E7778E: to=<sillyputty...@gmail.com<mailto:sillyputty...@gmail.com>>, relay=localhost.linfield.edu<http://localhost.linfield.edu>[127.0.0.1], delay=0, status=sent (250 OK, sent 51BA4367_13111_1998_1 250 Ok: queued as 7F7AF77C96) Jun 13 15:10:47 neskowin postfix/smtpd[22320]: disconnect from localhost.localdomain[127.0.0.1] Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: removed Jun 13 15:10:47 neskowin postfix/smtp[23198]: 7F7AF77C96: to=<sillyputty...@gmail.com<mailto:sillyputty...@gmail.com>>, relay=gmail-smtp-in.l.google.com<http://gmail-smtp-in.l.google.com>[173.194.79.27], delay=0, status=bounced (host gmail-smtp-in.l.google.com<http://gmail-smtp-in.l.google.com>[173.194.79.27] said: 550-5.1.1 The email account that you tried to reach does not exist. Please try 550-5.1.1 double-checking the recipient's email address for typos or 550-5.1.1 unnecessary spaces. Learn more at 550 5.1.1 http://support.google.com/mail/bin/answer.py?answer=6596 ol10si12569562pbb.214 - gsmtp (in reply to RCPT TO command)) Thanks, Rob On Jun 13, 2013, at 2:44 PM, Newton Pasqualini Filho <newtonpasqual...@gmail.com<mailto:newtonpasqual...@gmail.com>> wrote: Can you cut part of you log file and send to the list? I am able to detect in a single line when I find "NOQUEUE" in log. Regards, Newton Pasqualini Filho newtonpasqual...@gmail.com<mailto:newtonpasqual...@gmail.com> Em 13/06/2013, às 18:34, Rob Tanner <rtan...@linfield.edu<mailto:rtan...@linfield.edu>> escreveu: Hi, I'm trying to come up with mechanisms to catch compromised accounts sending SPAM. Since spammers don't necessarily have all good addresses a large number of their SPAM messages bounce with 550 errors (mailbox unavailable or doesn't even exist). I would like to monitor men logs and catch that pattern. The problem is that the log entry that includes the 550 error only shows where the message was intended to go and not where it came from. That's found on another log entry line. Is there anyway to tweak the logging mechanism so both bits of data appear on the same log line? Thanks. Rob Tanner UNIX Services Manager Linfield College, McMinnville Oregon ITS will never ask you for your password. Please don’t share yours with anyone!
