I work for an ISP in Australia. Recently a users account has been comprimised and is sending spam. How can I read the contents of a mail item in the mailq to find the authenticated user which has been comprimised. I know how to do this in Postfix but have had no luck in finding a way to do it in sendmail. Running CentOS.
Thanks in advanced. Struggling Network Operator.
Sendmail will save the message in the queue for safe keeping before trying to get the message delivered. The command to manipulate the queue is mailq.
By design the queue is very transient and typically in cases like this you should rely on your log files, which also contains information about messages that are already delivered and no longer can be found in the queue, rather than scanning the few messages that are/remain in the queue.
(If your maillog currently does not quite contain the information you need this answer may be of interest. for future reference)
Each message in the queu is stored in the directory /var/spool/clientmqueue and mqueue as a couple of files which are named thus: first letter for "type and status", second letter is "f", rest is the sendmail queue ID that you see in the logs and mailq output.
The first letter is usually one of :
d the body of the mail
q the message envelope with routing information and headers when the message is normal
Q rename of the "q" file when the message is abandoned for some reason
h rename of the "q" file when the message is held (quarantined by a milter)
t temporary file
x transcript of delivery attempts
If you're looking for authentication information: The qf file is structured as a series of lines, each beginning with a purpose code letter with the A containing the information given by the AUTH= parameter of the "MAIL FROM:" command or $f@$j if sendmail has been called directly.
Some more on the make up of the other fields in the qf file here.
So grep ^A /var/spool/mqueu/qf* will list the authenticated senders.
