Loading ...
Sorry, an error occurred while loading the content.
 

Re: Log analysis

Expand Messages
  • Sahil Tandon
    ... Original number of recipients for a given message. ... That is the queue ID, which can be reused/repeated; but no two queue entries will *simultaneously*
    Message 1 of 6 , Aug 2, 2009
      On Sun, 02 Aug 2009, Martina Tomisova wrote:

      > I can't find the format of Postfix logs. First I need to know what does
      > 'nrcpt' mean exactly.

      Original number of recipients for a given message.

      > Jul 24 02:07:28 server-name postfix/local[8669]: 555AC6A60AF: to=<
      > recipient@...>, relay=local, delay=0.13, delays=0.12/0/0/0.01,
      > dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
      >
      > What does the 555AC6A60AF mean? First I thought that it is original number
      > for each connection but it is not original - it repeats after hours...

      That is the queue ID, which can be reused/repeated; but no two queue entries
      will *simultaneously* have the same queue ID.

      --
      Sahil Tandon <sahil@...>
    • Martina Tomisova
      ... So this single message will be send to the given number of recipients, right?. Well but there is no list of them in the log. My problem is that there is
      Message 2 of 6 , Aug 2, 2009
        Original number of recipients for a given message.

        So this single message will be send to the given number of recipients, right?. Well but there is no list of them in the log. My problem is that there is for example 390 recipients. This line has some queue ID, sender and nrcpt. And there are only for example 3 lines following with the same queue ID containing 3 recipients. Where are the others? It doesn't make sense...

        In other words:
        There is a line like that one:
        > Jul 23 07:26:23 server postfix/qmgr[2580]: AEE706A60B5: from=<sender@...>, size=1707076, nrcpt=390 (queue active)
        Then there three lines containing the queue ID AEE706A60B5 like this one:
        > Jul 23 07:26:26 server postfix/smtp[30943]: AEE706A60B5: to=<reciever@...>, relay=none, delay=148458, delays=148455/0.02/3/0, dsn=4.4.1, status=deferred (connect to       another.org[1.2.3.4]:25: No route to host)
        And that's all. This queue ID is then used after more then one hour and it starts by line containing from=.... Where is the rest of recipients? Is it just not listed or there are only 3 recipients? That's why I'm confused whether the nrcpt realy means the number of recipients for this single message.
        Why I do this analysis is that I need to know whether this guy sends a spam or not... And I have to be sure about my conclusion. :)

        Thank you,
        M.

      • mouss
        ... each recipient will be in its own log line when the message is delivered. ... grep for the QUEUEID will show you other log lines. some of these will
        Message 3 of 6 , Aug 2, 2009
          Martina Tomisova a écrit :
          >
          > So this single message will be send to the given number of recipients,
          > right?. Well but there is no list of them in the log.

          each recipient will be in its own log line when the message is delivered.

          > My problem is that
          > there is for example 390 recipients. This line has some queue ID, sender
          > and nrcpt. And there are only for example 3 lines following with the
          > same queue ID containing 3 recipients. Where are the others? It doesn't
          > make sense...
          >

          grep for the QUEUEID will show you other log lines. some of these will
          include the Message-Id. The Message-Id can also be used to find other
          related log lines.

          > In other words:
          > There is a line like that one:
          >> Jul 23 07:26:23 server postfix/qmgr[2580]: AEE706A60B5:
          > from=<sender@... <mailto:sender@...>>, size=1707076,
          > nrcpt=390 (queue active)
          > Then there three lines containing the queue ID AEE706A60B5 like this one:
          >> Jul 23 07:26:26 server postfix/smtp[30943]: AEE706A60B5:
          > to=<reciever@... <mailto:reciever@...>>, relay=none,
          > delay=148458, delays=148455/0.02/3/0, dsn=4.4.1, status=deferred
          > (connect to another.org <http://another.org>[1.2.3.4]:25: No route
          > to host)

          The message is in the queue. use postcat -q to see its content
          (including the list of recipients). I'll leave it to you to make sure
          that there are no PRIVACY issues.

          PS. When posting from gmail, please hit the TEXT button. Otherwise, your
          logs are hard to read (see the "<mailto:..." thing above?)

          > And that's all. This queue ID is then used after more then one hour and
          > it starts by line containing from=.... Where is the rest of recipients?
          > Is it just not listed or there are only 3 recipients? That's why I'm
          > confused whether the nrcpt realy means the number of recipients for this
          > single message.
          > Why I do this analysis is that I need to know whether this guy sends a
          > spam or not... And I have to be sure about my conclusion. :)
          >
        • Martina Tomisova
          ... So I ve got 101 lines like this one: Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8: from= , size=754061, nrcpt=436 (queue active)
          Message 4 of 6 , Aug 3, 2009
            > each recipient will be in its own log line when the message is delivered.
            So I've got 101 lines like this one:

            Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8:
            from=<bob@...>, size=754061, nrcpt=436 (queue active)

            The time differs (this line is printed there approx. ones an hour so
            it seems that he sends this batch of emails approx. each hour), it's
            the same user and the same nrcpt and the same queue id. So there
            should be approx. 101*436=44036 lines containing the string
            50B106A60A8 at least. But there is only 1173 line like that. How is
            that possible? How this works? It's possible to tell postfix that I'm
            going to send message to 436 recipients and then send just a few
            recipients? I'm sorry if this is a stupid question :)

            > grep for the QUEUEID will show you other log lines. some of these will
            > include the Message-Id. The Message-Id can also be used to find other
            > related log lines.
            I investigated lines containing the message id and the recepient and
            all of them contained the queue id too.

            Thanks, M.
          • Sahil Tandon
            On Aug 3, 2009, at 9:08 AM, Martina Tomisova ... As I wrote in my initial reply, nrcpt= denotes the ORIGINAL number of recipients. The later log lines are
            Message 5 of 6 , Aug 3, 2009
              On Aug 3, 2009, at 9:08 AM, Martina Tomisova
              <martina.tomisova@...> wrote:

              >> each recipient will be in its own log line when the message is
              >> delivered.
              > So I've got 101 lines like this one:
              >
              > Jul 27 xx:yy:zz server postfix/qmgr[2580]: 50B106A60A8:
              > from=<bob@...>, size=754061, nrcpt=436 (queue active)
              >
              > The time differs (this line is printed there approx. ones an hour so
              > it seems that he sends this batch of emails approx. each hour), it's
              > the same user and the same nrcpt and the same queue id. So there
              > should be approx. 101*436=44036 lines containing the string
              > 50B106A60A8 at least. But there is only 1173 line like that. How is
              > that possible? How this works? It's possible to tell postfix that I'm
              > going to send message to 436 recipients and then send just a few
              > recipients? I'm sorry if this is a stupid question :)

              As I wrote in my initial reply, nrcpt= denotes the ORIGINAL number of
              recipients. The later log lines are very likely Postfix trying to
              deliver to different destinations for that same original message
              submission.

              >
              >> grep for the QUEUEID will show you other log lines. some of these
              >> will
              >> include the Message-Id. The Message-Id can also be used to find other
              >> related log lines.
              > I investigated lines containing the message id and the recepient and
              > all of them contained the queue id too.
              >
              > Thanks, M.
            Your message has been successfully submitted and would be delivered to recipients shortly.