Loading ...
Sorry, an error occurred while loading the content.

Log analysis

Expand Messages
  • Martina Tomisova
    Hi, I can t find the format of Postfix logs. First I need to know what does nrcpt mean exactly. And the second think I need to know is how the session ID
    Message 1 of 6 , Aug 2 6:21 AM
    • 0 Attachment
      Hi,

      I can't find the format of Postfix logs. First I need to know what does 'nrcpt' mean exactly.

      And the second think I need to know is how the session ID works (I only suppose that it is something like session ID). Let's have a look to the example:

      Jul 24 02:07:28 server-name postfix/local[8669]: 555AC6A60AF: to=<recipient@...>, relay=local, delay=0.13, delays=0.12/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")

      What does the 555AC6A60AF mean? First I thought that it is original number for each connection but it is not original - it repeats after hours...

      Thank you for any help,
      Martina
    • Sahil Tandon
      ... Original number of recipients for a given message. ... That is the queue ID, which can be reused/repeated; but no two queue entries will *simultaneously*
      Message 2 of 6 , Aug 2 6:28 AM
      • 0 Attachment
        On Sun, 02 Aug 2009, Martina Tomisova wrote:

        > I can't find the format of Postfix logs. First I need to know what does
        > 'nrcpt' mean exactly.

        Original number of recipients for a given message.

        > Jul 24 02:07:28 server-name postfix/local[8669]: 555AC6A60AF: to=<
        > recipient@...>, relay=local, delay=0.13, delays=0.12/0/0/0.01,
        > dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
        >
        > What does the 555AC6A60AF mean? First I thought that it is original number
        > for each connection but it is not original - it repeats after hours...

        That is the queue ID, which can be reused/repeated; but no two queue entries
        will *simultaneously* have the same queue ID.

        --
        Sahil Tandon <sahil@...>
      • Martina Tomisova
        ... So this single message will be send to the given number of recipients, right?. Well but there is no list of them in the log. My problem is that there is
        Message 3 of 6 , Aug 2 6:44 AM
        • 0 Attachment
          Original number of recipients for a given message.

          So this single message will be send to the given number of recipients, right?. Well but there is no list of them in the log. My problem is that there is for example 390 recipients. This line has some queue ID, sender and nrcpt. And there are only for example 3 lines following with the same queue ID containing 3 recipients. Where are the others? It doesn't make sense...

          In other words:
          There is a line like that one:
          > Jul 23 07:26:23 server postfix/qmgr[2580]: AEE706A60B5: from=<sender@...>, size=1707076, nrcpt=390 (queue active)
          Then there three lines containing the queue ID AEE706A60B5 like this one:
          > Jul 23 07:26:26 server postfix/smtp[30943]: AEE706A60B5: to=<reciever@...>, relay=none, delay=148458, delays=148455/0.02/3/0, dsn=4.4.1, status=deferred (connect to       another.org[1.2.3.4]:25: No route to host)
          And that's all. This queue ID is then used after more then one hour and it starts by line containing from=.... Where is the rest of recipients? Is it just not listed or there are only 3 recipients? That's why I'm confused whether the nrcpt realy means the number of recipients for this single message.
          Why I do this analysis is that I need to know whether this guy sends a spam or not... And I have to be sure about my conclusion. :)

          Thank you,
          M.

        • mouss
          ... each recipient will be in its own log line when the message is delivered. ... grep for the QUEUEID will show you other log lines. some of these will
          Message 4 of 6 , Aug 2 8:19 AM
          • 0 Attachment
            Martina Tomisova a écrit :
            >
            > So this single message will be send to the given number of recipients,
            > right?. Well but there is no list of them in the log.

            each recipient will be in its own log line when the message is delivered.

            > My problem is that
            > there is for example 390 recipients. This line has some queue ID, sender
            > and nrcpt. And there are only for example 3 lines following with the
            > same queue ID containing 3 recipients. Where are the others? It doesn't
            > make sense...
            >

            grep for the QUEUEID will show you other log lines. some of these will
            include the Message-Id. The Message-Id can also be used to find other
            related log lines.

            > In other words:
            > There is a line like that one:
            >> Jul 23 07:26:23 server postfix/qmgr[2580]: AEE706A60B5:
            > from=<sender@... <mailto:sender@...>>, size=1707076,
            > nrcpt=390 (queue active)
            > Then there three lines containing the queue ID AEE706A60B5 like this one:
            >> Jul 23 07:26:26 server postfix/smtp[30943]: AEE706A60B5:
            > to=<reciever@... <mailto:reciever@...>>, relay=none,
            > delay=148458, delays=148455/0.02/3/0, dsn=4.4.1, status=deferred
            > (connect to another.org <http://another.org>[1.2.3.4]:25: No route
            > to host)

            The message is in the queue. use postcat -q to see its content
            (including the list of recipients). I'll leave it to you to make sure
            that there are no PRIVACY issues.

            PS. When posting from gmail, please hit the TEXT button. Otherwise, your
            logs are hard to read (see the "<mailto:..." thing above?)

            > And that's all. This queue ID is then used after more then one hour and
            > it starts by line containing from=.... Where is the rest of recipients?
            > Is it just not listed or there are only 3 recipients? That's why I'm
            > confused whether the nrcpt realy means the number of recipients for this
            > single message.
            > Why I do this analysis is that I need to know whether this guy sends a
            > spam or not... And I have to be sure about my conclusion. :)
            >
          • Martina Tomisova
            ... So I ve got 101 lines like this one: Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8: from= , size=754061, nrcpt=436 (queue active)
            Message 5 of 6 , Aug 3 6:08 AM
            • 0 Attachment
              > each recipient will be in its own log line when the message is delivered.
              So I've got 101 lines like this one:

              Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8:
              from=<bob@...>, size=754061, nrcpt=436 (queue active)

              The time differs (this line is printed there approx. ones an hour so
              it seems that he sends this batch of emails approx. each hour), it's
              the same user and the same nrcpt and the same queue id. So there
              should be approx. 101*436=44036 lines containing the string
              50B106A60A8 at least. But there is only 1173 line like that. How is
              that possible? How this works? It's possible to tell postfix that I'm
              going to send message to 436 recipients and then send just a few
              recipients? I'm sorry if this is a stupid question :)

              > grep for the QUEUEID will show you other log lines. some of these will
              > include the Message-Id. The Message-Id can also be used to find other
              > related log lines.
              I investigated lines containing the message id and the recepient and
              all of them contained the queue id too.

              Thanks, M.
            • Sahil Tandon
              On Aug 3, 2009, at 9:08 AM, Martina Tomisova ... As I wrote in my initial reply, nrcpt= denotes the ORIGINAL number of recipients. The later log lines are
              Message 6 of 6 , Aug 3 6:41 AM
              • 0 Attachment
                On Aug 3, 2009, at 9:08 AM, Martina Tomisova
                <martina.tomisova@...> wrote:

                >> each recipient will be in its own log line when the message is
                >> delivered.
                > So I've got 101 lines like this one:
                >
                > Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8:
                > from=<bob@...>, size=754061, nrcpt=436 (queue active)
                >
                > The time differs (this line is printed there approx. ones an hour so
                > it seems that he sends this batch of emails approx. each hour), it's
                > the same user and the same nrcpt and the same queue id. So there
                > should be approx. 101*436=44036 lines containing the string
                > 50B106A60A8 at least. But there is only 1173 line like that. How is
                > that possible? How this works? It's possible to tell postfix that I'm
                > going to send message to 436 recipients and then send just a few
                > recipients? I'm sorry if this is a stupid question :)

                As I wrote in my initial reply, nrcpt= denotes the ORIGINAL number of
                recipients. The later log lines are very likely Postfix trying to
                deliver to different destinations for that same original message
                submission.

                >
                >> grep for the QUEUEID will show you other log lines. some of these
                >> will
                >> include the Message-Id. The Message-Id can also be used to find other
                >> related log lines.
                > I investigated lines containing the message id and the recepient and
                > all of them contained the queue id too.
                >
                > Thanks, M.
              Your message has been successfully submitted and would be delivered to recipients shortly.