cancel
Showing results for 
Search instead for 
Did you mean: 

to/from/subject collection

Fred Martin_1
Valued Contributor

to/from/subject collection

I'm being asked by management to collect To/From and Subject information from a set of my users. "Acceptable use" is in question for some.

I'd thought about writing some script to watchdog their inboxes but that would be fairly complex, and timing critical since they pop in for mail every few minutes and then evidence is gone.

The sendmail mail.log currently displays To/From and the alias conversions but not subject. My loglevel is set at 16.

I'm trying to find detailed info on LogLevel (what each level does exactly) but having a hard time finding it.

Can someone point me to a resource?

If I can get the log to display Subject line that would do it.

Fred
fmartin@applicatorssales.com
11 REPLIES
Steven E. Protter
Exalted Contributor

Re: to/from/subject collection

To fully assist in this endeavor I'd need to know how your mail is processed.

What is the client and does your server process it all.

Clearly, even if the mail passes through via a DS relay, the evidence is on your system and can be collected.

I say in general, expand what you look at. I'm not sure upping the loglevel is going to do the job. I may be wrong and sendmail.org is a good place to look at what you can do there.

However, if you use the outlook client, there is a sent mail policy. It can be controlled, and the information here can be processed for checking on acceptable use policy.

If you implement a flexible html based mail client like squirrelmail, there is a sent folder that is stored in the users $HOME/mail directory and you can pull data out of that into a massive file that gets processed later.

You could configure a little daemon to take the files out of /var/spool/mqueue and that would surely get you the subject information you require, along with enough information to track the mail back to its sender.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Pete Randall
Outstanding Contributor

Re: to/from/subject collection

Fred,

The details of the different log levels are spelled out in this TKB doc:

http://www1.itrc.hp.com/service/cki/docDisplay.do?docLocale=en_US&docId=200000062945191


Pete

Pete
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

Our PC users have a variety of PC-based mail clients: Outlook, Outlook Express, Eudora, Thunderbird. They all POP in to the unix server to collect their email. No Exchange, nothing like that.

Since all of their inboxes are right there on the unix server, and sendmail delivers all mail to the inboxes, I think sendmail logging would be the simplest way to track anything.

Pete thanks for that link. My log level is already higher than what's described there but I'll look at sendmail.org for more info.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

FYI I have the O'Reilly Sendmail book; the log levels described are the same as the HP link above.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

Well for kicks I cranked the LogLevel up to 98 for sendmail, lots of interesting detail but no subject.

I'll have to find something else then, Subject was something that management specifically asked for.

There are only 15 users. I suppose I could run a script which, every 2 minutes or so, scans the user's /var/mail/file, pulling out any To/From/Subject that's new since the last polling.

I could catch 99% of the email that way I suppose, with not too much processing time.

fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

Mmm. Just thinking out lound here.

I could have a single script watching the bottom of the sendmail log, and as soon as it sees any mail "RCPT TO" one of my particular users, it could go get the needed info immediately from the /var/mail file for that user. That would be better than trying to determine if the user's mail file has changed since last poll.
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

Yeah, "MAIL TO" not "RCPT TO"
fmartin@applicatorssales.com
Fred Martin_1
Valued Contributor

Re: to/from/subject collection

Try: "MAIL FROM"
I had too much for lunch, a little sleepy.
fmartin@applicatorssales.com
Steven E. Protter
Exalted Contributor

Re: to/from/subject collection

I think your concept has merit.

I'll say this.

The data you seek is not stored in memory, its spooled to disk.

Don't forget to apply for a patent.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Kent Ostby
Honored Contributor

Re: to/from/subject collection

I actually have a script that does this every two minutes although I just display it so I can see if I have gotten anything new.

It's obviously fairly easy.

grep -e Subject: -e To: -e From: /var/mail/ >> /tmp/alog

Oz
"Well, actually, she is a rocket scientist" -- Steve Martin in "Roxanne"
Jeff_Traigle
Honored Contributor

Re: to/from/subject collection

Maybe something simpler...

Since these are POP users, I'm guessing they don't know how to spell UNIX, much less have access to the command line of the mail server.

Set up a dummy account, maybe named abuse. Set up a .forward file for each user to forward the email to that account as well as to their own inbox like this:

abuse
username

Then you can process the abuse account inbox at your leisure with no concern that you'll miss any.
--
Jeff Traigle