[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Unknown User message in sendmail maillog.





Right.  But in this case, all you are doing is printing the stuff from the current line and then ignoring it from all eternity afterwards.  Since there is no need to access the stuff again, it is much more efficient to just do it one line at a time and throw away the rest.  Right?



-----Original Message-----
From: fiaid@quasi-sane.com [mailto:fiaid@quasi-sane.com]
Sent: Wednesday, February 05, 2003 11:11 AM
To: silug-discuss@silug.org
Subject: Re: Unknown User message in sendmail maillog.


Remember, there are no stupid questions, only stupid people.  I love 
Southpark.

I think that the reasoning behind this is to give it a true variable name 
and space instead of using $_ as you would need to do with the "while 
(<>)"  Also, by array loading this, you are able to call back into the 
array instead of losing it once it is gone by, you can do a $foo[16] 
whereas you can't do a $_[16].  If you can though, tell me, I have a 
shitton of scripts that I can rewrite.

Tighe

> However, I do have a possibly stupid question.  Won't this approach read
> the entire log file into memory before using it? In fact if you did it
> against /var/log/maillog* wouldn't it read the contents of every mailog
> file into memory all at once, and then proceed to start going through
> them line by line?  Wouldn't it be more efficient to do something like
> 
> while (<>)  
> {
> ...
> }
> 
> instead of 
> 
> @foo=<>;
> 
> for my $bar (@foo) 
> {
>   ...
> }
> 
> There is a comment on page 18 of the Camel book that sort of subtly mentions this in a not very clear sort of a way.
> 
> 
> -----Original Message-----
> From: Steven Pritchard [mailto:steve@silug.org]
> Sent: Friday, January 31, 2003 9:36 AM
> To: silug-discuss@silug.org
> Cc: luci-discuss@luci.org
> Subject: Re: Unknown User message in sendmail maillog.
> 
> 
> On Thu, Jan 30, 2003 at 05:35:27PM -0600, Aaron Cronkright wrote:
> > My problem is that I can't seem to find the log entry that gives me
> > the ip addr and/or hostname of the computer doing this. Anyone have a
> > finger to point me in the proper direction so I can block this bozo at
> > the firewall?
> 
> Try the following (admittedly inefficient) script against
> /var/log/maillog*:
> 
> #!/usr/bin/perl
> 
> @foo=<>;
> 
> for my $bar (@foo) {
>     if ($bar =~ /sendmail\[\d+\]:\s+(\w+):\s+.*\<([^\>]+)\>.*User unknown$/) {
>         my $id=$1;
>         my $to=$2;
>         for my $baz (grep { /:\s+$id:/ } @foo) {
>             if ($baz =~
>                 /:\s+$id:\s+from=\<([^\>]+)\>.*relay=[^\[]*\[([\d\.]+)\]$/) {
>                 print "from=<$1> to=<$to> relay=<$2>\n";
>                 last;
>             }
>         }
>     }
> }
> 
> Hmm...  Looks like I'll need to make an optimization pass before I can
> effectively use that myself.  It's taking a *really* long time to run
> on the mail server here.  :-)
> 
> Steve
> 

-- 
Tighe Schlottog         workape         fiaid
"Nothing is too cruel if it is funny enough."


-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.

-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.