Scraping log to identify emails sent to another MTA

Question

I have a Courier MTA that seems to be sending spam. I want to scrape courier's mail.log to identify, for each mail that was sent to another MTA:

The from address
Where Courier got the email from

Here are Courier's mail.log entries for a (non-spam) email that originated internally on a box running sendmail. Sendmail relayed the email to Courier MTA, which then sent it to one of gmail's MTAs.

Mar  4 08:49:01 triplite courierfilter: zdkimfilter[24066]:id=00000000003E06E2.0000000054F7296D.00005E01: signing for production with domain some.where, selector somewhere-dkim
Mar  4 08:49:01 triplite courierfilter: zdkimfilter[24066]:id=00000000003E06E2.0000000054F7296D.00005E01: response: 250 Ok.
Mar  4 08:49:01 triplite courierd: newmsg,id=00000000003E06E2.0000000054F7296D.00005E01, auth=production: dns; alum.internal.some.where ([::ffff:10.1.0.52])
Mar  4 08:49:01 triplite courierd: started,id=00000000003E06E2.0000000054F7296D.00005E01,from=<production@some.where>,module=esmtp,host=gmail.com,addr=<fred@bed.rock>
Mar  4 08:49:01 triplite courierd: Waiting.  shutdown time=none, wakeup time=Wed Mar  4 08:49:03 2015, queuedelivering=72, inprogress=1
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<production@some.where>,addr=<fred@bed.rock>: 250 2.0.0 OK 1425484143 c10si5455351pds.183 - gsmtp
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<production@some.where>,addr=<fred@bed.rock>,size=1251,success: delivered: gmail-smtp-in.l.google.com [74.125.28.27]
Mar  4 08:49:03 triplite courieresmtp: id=00000000003E06E2.0000000054F7296D.00005E01,from=<production@some.where>,addr=<fred@bed.rock>,size=1251,status: success
Mar  4 08:49:03 triplite courierd: completed,id=00000000003E06E2.0000000054F7296D.00005E01

It seems that the "newmsg" line will tell me where an email came from. But I'm not sure which log entries to key on to see that a message was sent to another MTA. Would the "success: delivered" be the right one? Are there any other ways that sent emails show up in the log?

score 2 · Accepted Answer · answered Jun 25 '15 at 16:36

Yes, "newmsg" tells the dns identification of the originating relay. It contains an "auth=" entry, in case submission was authenticated. "couriersmtp" (without final "d") is the SMTP client, which usually relays in turn. In theory, mail can also be relayed by UUCP, a rather unusual circumstance nowadays.

You may want to check out Courier-analog, it is a simple Perl script that produces (html) activity summaries by analyzing the logs.

Scraping log to identify emails sent to another MTA

1 Answers1