System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Finding scripts sending emails

iman_1
Advisor

Finding scripts sending emails

I have a good number of email notifications in my sendmail logs sent "from" a particular user.

Is there anyway I can find out which script or which programme does send that email in any one system ?

I suspect most of these are automated entries like the ones in crontab/automated scripts.

The idea is to pinpoint the scripts which send such emails.

I just see the logs like below

Jul 17 02:24:28 apple sendmail[15684]: [ID 801593 mail.info] n6H1ORS15682: to=, delay=00:00:00, xdelay=00:00:00, mailer=direct, pri=175361, relay=server.department.dom.com [172.XXX.XXX.XXX], dsn=2.0.0, stat=Sent (n6H1OUZ20001 Message accepted for delivery)
Jul 17 02:24:01 apple sendmail[15287]: [ID 801593 mail.info] n6H1O1S15265: to=, delay=00:00:00, xdelay=00:00:00, mailer=direct, pri=181633, relay=server.department.dom.com [172.XXX.XXX.XXX], dsn=2.0.0, stat=Sent (n6H1O3Z19526 Message accepted for delivery)
10 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Finding scripts sending emails

I don't see any good way to find them other than brute force.
From the message you can get a subject to do the search.
From crontab, you can look for scripts invoking mailx, mail or sendmail.
James R. Ferguson
Acclaimed Contributor

Re: Finding scripts sending emails

Hi:

As Dennis said, a "brute" force search might be the fastest way.

> Dennis: From crontab, you can look for scripts invoking mailx, mail or sendmail.

Yes, not only that but remember that any output (STDOUT or STDERR) from a crontask that isn't redirected to a file will generate mail to the initiating user. Thus, you need to examine the user's crontab entries for this behavior, too.

Regards!

...JRF...
Steven E. Protter
Exalted Contributor

Re: Finding scripts sending emails

Shalom,

There is no way from a sendmail log to know what script started the send.

What you can do is get the exact start time and compare it to the cron schedule on the system and the keystroke logs of the users involved.

You can get enough data to know what user sent the email, though a root cron job with a su - username 'command' can send as any user on the system.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
iman_1
Advisor

Re: Finding scripts sending emails

Thankyou guys, although i suspected the answer still wanted to have the confirmation of the "experts"
Bill Hassell
Honored Contributor

Re: Finding scripts sending emails

This is a common sysadmin problem. I solve it by replacing all email addresses in scripts with the name of the script itself, something like this:

MYNAME=${0##*/}
MAILTO=$MYNAME
...
echo "something to mail" | mailx -s "$MYNAME: someTitle" $MYNAME

Assumming the script's name is abc.ksh, then the mailx line looks like this:

echo "something to mail" | mailx -s "$abc.ksh: someTitle" abc.ksh

And in /etc/mail/aliases, I create an alias called abc.txt and set it to the distribution list. This now documents the name of the script in the subject and it allows me to change the distribution list without modifying the script at all.

(scripting note: ${0##*} is the more efficient shell way to implement the basename command)


Bill Hassell, sysadmin
Pete Randall
Outstanding Contributor

Re: Finding scripts sending emails

I use find in an instance like this (just did this morning in fact):

find /startdir_where_script_are |xargs grep -l "the particular from user"

If your scripts tend to be in just one or two locations, it's a relatively simple matter.


Pete

Pete
Pete Randall
Outstanding Contributor

Re: Finding scripts sending emails

On second thought, the fact that it's the "from user" might make that impossible. It's easy enough to search for the "to user", though.

Pete

Pete
Dennis Handly
Acclaimed Contributor

Re: Finding scripts sending emails

>JRF: you need to examine the user's crontab entries for this behavior

Yes and the mail you get tells you exactly that. It is from root with the subject "cron". And it lists the crontab command.
Yogesh M Puranik
Valued Contributor

Re: Finding scripts sending emails

Hi Iman,


1]Please go though the logs carefully.Which will give the details of from whom this mail is coming and to which id it is sending mail.

2] I believe in this case "apple" user is sending mail.

3]U can check /var/mail/"user" file.

4] Once u get the details of users then check the cron details of that user using #crontab -l "username" |grep -i scriptname

5]May be thease steps will help you out.


Rgds

Yogesh
James R. Ferguson
Acclaimed Contributor

Re: Finding scripts sending emails

Hi (again):

>Dennis: JRF: you need to examine the user's crontab entries for this behavior

> Yes and the mail you get tells you exactly that. It is from root with the subject "cron". And it lists the crontab command.

You missed my point. I said that, "...any output (STDOUT or STDERR) from a crontask that isn't redirected to a file will generate mail to the initiating user." It was this examination to which I referred; viz. un-redirected output.

Regards!

...JRF...