Wow,
So this error messages are not yours, this comes from the external side.
There is no way to catch this arg in same line as from.
You can do a script that can handle the log and store in memory to run in
realtime, or you can create a cronjob.
I can help you with the cronjob script to handle who are sending spam to Gmail
for example.
Setup a bash script with these two lines bellow:
#!/bin/bash
for mid in `cat /var/log/maillog | grep answer=6596 | awk '{print $6}'`; do cat
/var/log/maillog | grep $mid | grep "from" | awk '{print $7}' | awk -F "<"
'{print $2}' | awk -F ">" '{print $1}'; done
Regards
Newton Pasqualini Filho
newtonpasqual...@gmail.com
Em 13/06/2013, às 19:18, Rob Tanner <rtan...@linfield.edu> escreveu:
> As requested. I suppose I could grab the queue ID and back track to the
> sender but when the logs get long (which they do, half a million or more
> lines) these scans can take a while and I'm trying to capture this info in
> real time (more or less):
>
> Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E:
> from=<rtan...@linfield.edu>, size=3993, nrcpt=1 (queue active)
> Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 767641453B: skipped, still
> being delivered
> Jun 13 15:10:47 neskowin postfix/smtpd[23646]: disconnect from
> mail.wfo.linfield.edu[10.170.131.75]
> Jun 13 15:10:47 neskowin postfix/smtpd[22320]: connect from
> localhost.localdomain[127.0.0.1]
> Jun 13 15:10:47 neskowin postfix/smtpd[22320]: 7F7AF77C96:
> client=localhost.localdomain[127.0.0.1]
> Jun 13 15:10:47 neskowin postfix/cleanup[23328]: 7F7AF77C96:
> message-id=<71da23e7-a7fb-4409-962a-a4b31dbbc...@linfield.edu>
> Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 7F7AF77C96:
> from=<rtan...@linfield.edu>, size=4190, nrcpt=1 (queue active)
> Jun 13 15:10:47 neskowin postfix/smtp[23326]: 6D97E7778E:
> to=<sillyputty...@gmail.com>, relay=localhost.linfield.edu[127.0.0.1],
> delay=0, status=sent (250 OK, sent 51BA4367_13111_1998_1 250 Ok: queued as
> 7F7AF77C96)
> Jun 13 15:10:47 neskowin postfix/smtpd[22320]: disconnect from
> localhost.localdomain[127.0.0.1]
> Jun 13 15:10:47 neskowin postfix/qmgr[13765]: 6D97E7778E: removed
> Jun 13 15:10:47 neskowin postfix/smtp[23198]: 7F7AF77C96:
> to=<sillyputty...@gmail.com>,
> relay=gmail-smtp-in.l.google.com[173.194.79.27], delay=0, status=bounced
> (host gmail-smtp-in.l.google.com[173.194.79.27] said: 550-5.1.1 The email
> account that you tried to reach does not exist. Please try 550-5.1.1
> double-checking the recipient's email address for typos or 550-5.1.1
> unnecessary spaces. Learn more at 550 5.1.1
> http://support.google.com/mail/bin/answer.py?answer=6596
> ol10si12569562pbb.214 - gsmtp (in reply to RCPT TO command))
>
> Thanks,
> Rob
>
>
> On Jun 13, 2013, at 2:44 PM, Newton Pasqualini Filho
> <newtonpasqual...@gmail.com>
> wrote:
>
>> Can you cut part of you log file and send to the list?
>>
>> I am able to detect in a single line when I find "NOQUEUE" in log.
>>
>> Regards,
>> Newton Pasqualini Filho
>> newtonpasqual...@gmail.com
>>
>>
>>
>> Em 13/06/2013, às 18:34, Rob Tanner <rtan...@linfield.edu> escreveu:
>>
>>> Hi,
>>>
>>> I'm trying to come up with mechanisms to catch compromised accounts sending
>>> SPAM. Since spammers don't necessarily have all good addresses a large
>>> number of their SPAM messages bounce with 550 errors (mailbox unavailable
>>> or doesn't even exist). I would like to monitor men logs and catch that
>>> pattern. The problem is that the log entry that includes the 550 error
>>> only shows where the message was intended to go and not where it came from.
>>> That's found on another log entry line. Is there anyway to tweak the
>>> logging mechanism so both bits of data appear on the same log line?
>>>
>>> Thanks.
>>>
>>>
>>> Rob Tanner
>>> UNIX Services Manager
>>> Linfield College, McMinnville Oregon
>>>
>>> ITS will never ask you for your password. Please don’t share yours with
>>> anyone!
>>>
>>
>
