January 18, 2003

Value of Pipe

I had an interesting experience yesterday. We had a number of people complain that they recieved blank email messages from our server. We run sendmail, but there are no mail accounts on our machine (and very few shell accounts), we use sendmail purely for reminders from the application (and believe we have secured scripts to do so). Our firewall blocks any inbound mail.

A little worrisome . . . mail relay? cracked?, obviously we needed to get to the bottom.

Now I'm barely a sendmail novice, had little idea where to start except to go to /var/log/syslog and see what could be determined. I also am aware that there may be methods to do the following in less commands (which some may think more noble) but I was not shooting for any awards here, just wanted to get the necessary information.

I started by grabbing sma and pulling out mail logs (I used sma's CustomLog to get address and date only). I found a spike of messages had been sent on two different days between specific periods of time, so I grepped based on date and time. Then I wanted to sort based on name so the names were all in order (needed to pipe to uniq), or in sma I could configure the date to be first and then sort based on time (to see start and stop time). After this sort I determined there were a number of admin email addresses I wanted left out so I did a grep -v to disclude any line matching a handful of strings. Once I had all the mail addresses in order (and after doing a wc to get that stat) I piped to uniq -c to get a listing of how many messages had been sent to each unique user. Of course, having this in order required another pipe to sort. I switched between a pipe to more and wc to determine number of uniq users and to report the actual mail addresses to the requesting helpdesk person.

After sharing the information with the helpdesk we determined that an admin user had triggered a reminder email from the application but failed to fill in a subject or body.

The list of pipes: sma | grep | sort | grep| uniq -c | sort | (wc or more)

Just in case you had forgotten how great piping is . . .

Posted by mike at January 18, 2003 4:55 PM