[wplug-bsd] Periodic -- phantom email

Brandon Kuczenski brandon at 301south.net
Sun Jan 9 14:58:43 EST 2005 

There are three parts to this message.
  PART I: the periodic security script whose installation coincided with 
the problem (though I worked on a lot of stuff that day)
  PART II: a debugging change I made to the periodic script, and its output
  PART III: an example of a phantom email

On Sun, 9 Jan 2005, Bill Moran wrote:

> Brandon Kuczenski <brandon at 301south.net> wrote:
>
>> About a month ago I added a new script to my /etc/periodic/security
>> directory.  The script looks through the security log for notations
>> regarding people updating their IMAP passwords, and it's nothing special.
>> It works fine.
>
> Can you show us the script?
>

Here it is (part I):

#!/bin/sh -
# 802.imappw
#
# based on 800.loginfail
# script to show automated IMAP password updates using my cron/mail system.

# Show automated IMAP password updates
#

# If there is a global system configuration file, suck it in.
#
if [ -r /etc/defaults/periodic.conf ]
then
     . /etc/defaults/periodic.conf
     source_periodic_confs
fi

LOG="${daily_status_security_logdir}"

yesterday=`date -v-1d "+%b %e "`

catmsgs() {
 	find ${LOG} -name 'security.*' -mtime -2 |
 	    sort -t. -r -n +1 -2 |
 	    xargs zcat -f
 	[ -f ${LOG}/security ] && cat $LOG/security
}

case "$daily_status_security_imappw_enable" in
     [Yy][Ee][Ss])
 	echo ""
 	echo "${host} IMAP password updates:"
 	n=$(catmsgs | grep -ia "^$yesterday.*IMAP.*password" |
 	    tee /dev/stderr | wc -l)
 	[ $n -gt 0 ] && rc=1 || rc=0;;
     *)	rc=0;;
esac

exit $rc

EOF



>> The day after I installed it, I began to get these mysterious emails at
>> 4:42 AM (exactly when my periodic daily functions run).  The emails are
>>> From root and not to anybody, so the mail daemon rejects them saying "no
>> recipients specified".  There is no content to the emails, either, just
>> mail from root to........... ?

<Part II>

I made a substantial (for me) discovery: 'periodic' is actually a script, 
not a binary, and I can read its actions directly.  In the script, the 
following is done to decipher what to do with the output:

for arg
do
     # Where's our output going ?
     eval output=\$${arg##*/}_output
     case "$output" in
     /*) pipe="cat >>$output";;
     "") pipe=cat;;
     *)  pipe="mail -s '$host ${arg##*/} run output' $output";;
     esac

...

For debugging, I added the line:

     logger "Periodic: $arg $output $pipe"

and in my logs last night received the following:

Jan  9 04:42:00 ocean root: Periodic: daily root mail -s 
'ocean.301south.net daily run output' root
Jan  9 04:42:01 ocean root: Periodic: security root mail -s 
'ocean.301south.net security run output' root

so that seems copasetic.  I think what I will do next is disable the 
security script and see if the problem is still there.



Lastly [Part III], here is the phantom email I received last night:

>From MAILER-DAEMON at 301south.net Sun Jan  9 04:42:01 2005
Return-Path: <>
X-Original-To: root at 301south.net
Delivered-To: root at 301south.net
Received: by ocean.301south.net (Postfix)
 	id 245E81045E; Sun,  9 Jan 2005 04:42:01 -0500 (EST)
Date: Sun,  9 Jan 2005 04:42:01 -0500 (EST)
From: MAILER-DAEMON at 301south.net (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: root at 301south.net
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
 	boundary="17D7E1041A.1105263721/ocean.301south.net"
Message-Id: <20050109094201.245E81045E at ocean.301south.net>
Time-Received: Sun Jan  9 04:42:01 EST 2005
X-Virus-Status: No
X-Virus-Checker-Version: clamassassin 1.2.2 with clamdscan / ClamAV 0.80/655/Fri Jan  7 08:54:13 2005
X-Spam-Skipped: Yes =Message not tested by SpamAssassin=
Time-Delivered: Sun Jan  9 04:42:01 EST 2005

This is the Postfix program at host ocean.301south.net.

I'm sorry to have to inform you that your message could not be
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to <postmaster>

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

 			The Postfix program

<unknown>: No recipients specified

     [ Part 2: "Delivery report" ]

Reporting-MTA: dns; ocean.301south.net
X-Postfix-Queue-ID: 17D7E1041A
X-Postfix-Sender: rfc822; root at 301south.net
Arrival-Date: Sun,  9 Jan 2005 04:42:01 -0500 (EST)

Final-Recipient: rfc822; unknown
Action: failed
Status: 5.0.0
Diagnostic-Code: X-Postfix; No recipients specified


     [ Part 3: "Undelivered Message" ]

Received: by ocean.301south.net (Postfix, from userid 0)
 	id 17D7E1041A; Sun,  9 Jan 2005 04:42:01 -0500 (EST)
Message-Id: <20050109094201.17D7E1041A at ocean.301south.net>
Date: Sun,  9 Jan 2005 04:42:01 -0500 (EST)
From: root at 301south.net (Charlie Root)
To: undisclosed-recipients:;

EOF


-Brandon

More information about the wplug-bsd mailing list