A user engaged in illegal activity at your company. We want to know who she (badgirl) wrote to and who wrote her over the past month. Assuming you are archiving the log files this isn't so difficult. If you don't have the log files archived, then you've only got the past few days to work with. I have included a script (gatherlogs.sh) showing how to keep these logs. In theory you should move these to a storage area, but most servers have too much space anyway.
Badgirl also had an outside email account which poses a unique problem in finding out who she wrote to inside your company.
METHODOLOGY SUMMARY
~~~~~~~~~~~~~~~~~~~
If you used my script for log file archiving you'll have what you need named with the format
servername.maillog.YYYYMMDD
Where YYYY is the year, MM is the month and DD is the day. So we have pretty effectively captured the inbound and outbound traffic.
METHODOLOGY SPECIFIC
~~~~~~~~~~~~~~~~~~~~
Here I'm going to map the steps that I used to get this information from the files that I expanded into the working directory (march) so that if we have to go back and grab information from previous months I will be able to run these same commands on a larger (or different) set of data. We are looking for a user called badgirl@charter.net
1. Find all lines with badgirl in them.
grep -i badgirl *
You can count these by adding a | wc at the end
of that line. Each of these lines may or may not
uniquely coorespond to a single message. In many
cases you will find more than one entry for each
message. So let's break it down some more.
2. How many are from badgirl?
grep -i badgirl@charter.net * |grep mail.charter.net |wc
Note, the mail.charter.net is the relay at charter.net.
I had to find this by looking at the output. This will
limit what you get to one line/message.
3. But are any other messages going to the mail.charter.net
mail server? I have to use a two lined command to get
this one, but essentially we get a sorted list with the
most popular charter.net recipients at the bottom. Note
some have <> characters around them. badgirl appears in
two places 8 and 32 times. This means 40 total messages
were sent to badgirl. I looked for other obvious aliases
but found none. You may wish to run this line as well to
look. Just make sure you are in the appropriate directory
first.
grep -i mail.charter.net * |cut -d"=" -f2 | \
cut -d"," -f1 |sort |uniq -c|sort -n
5 <crisnoone@charter.net>
5 <dsomebody@charter.net>
5 knobody@charter.net
5 spamc@charter.net
5 <terriwhoever@charter.net>
8 badgirl@charter.net
32 <badgirl@charter.net>
41 somesuspicious@charter.net
3. Who sent messages to badgirl@charter.net?
Note, this is a two line command joined with a
backslash character.
grep -i mail.charter.net * | grep badgirl | \
cut -d'=' -f3 |cut -d'(' -f1 |sort |uniq -c
8 aflores@yourdomain.com
1 nnicol
16 <bgirl@yourdomain.com>
5 <pbarter@yourdomain.com>
2 <thoagland@yourdomain.com>
9 <vmitchell@yourdomain.com>
Interesting... 16 messages came from bgirl and
probably came from badgirl, but because of the
vagaries of the grep command I'm going to need
to confirm this visually with the following
command:
grep -i mail.charter.net * | grep badgirl | grep bgirl
Sure enough... you can visually see messages
originating from badgirl@yourdomain.com and going to the
badgirl@charter.net address. Interesting.
grep -i to=badgirl@charter.net * | wc
4. Just as a sort of check on our systems, let's use the
method at the bottom on the previous entry to count
all the mail sent to badgirl@charter.net. This is a
bit like double entry bookkeeping where you add every
thing down the columns and also the the left and hope
to get the same numbers. We do get the same numbers.
grep -i mail.charter.net * | grep badgirl | grep bgirl | wc
grep -i mail.charter.net * | grep badgirl | grep aflores | wc
grep -i mail.charter.net * | grep badgirl | grep nnicol | wc
grep -i mail.charter.net * | grep badgirl | grep pbarter | wc
grep -i mail.charter.net * | grep badgirl | grep thoagland | wc
grep -i mail.charter.net * | grep badgirl | grep vmitchell | wc
5. Here I'm going to map the steps that I used to get this
information from the files that I expanded into the working
directory (march) so that if we have to go back and grab
information from previous months I will be able to run these
same commands on a larger (or different) set of data:
grep -i badgirl * |grep mail.charter.net > ../badgirltofrom
grep -i badgirl * |grep from >> ../badgirltofrom
cd ..
sort badgirltofrom > badgirltofromsorted
6. Finally, who did badgirl@charter.net send email to?
This one requires a script:
######################################################################
#!/bin/sh
# findwho.sh rips through the email log looking for who inbound emails
# were sent to. You need this because sendmail logs store the information
# in more than one line. So... you can grep who sent a message with little
# effort, but to see where they sent the message is much more difficult.
#
# This program requires you to first rip out the message ids and store them
# in a file, then set it up as a variable below. I hope this is helpful.
#
# This program reads from a text file to find it's variables They are in
# the format:
#
# $MSG_IDS
#
# Note: I think I missed a step because you should have a file called
# frombadgirl showing only thos messages that badgirl@charter.net
# sent. I will leave the creation of this file as an exercise for
# the reader who surely can figure out how to produce this by now.
#
# Then produce the message ids using the cut command:
#
# cut frombadgirl -d: -f5 > frombadgirl_msg_ids
# ****** VARIABLES ******
# Get the paths right before you ask me for help. :)
ID_LIST=./frombadgirl_msg_ids
MAILLOGS=./march/* # use path/* to examine multipile files.
TO_WHOM=./frombadgirl_to_whom
# ********* THE SCRIPT *********
export PATH=$PATH:/bin:/usr/bin:/usr/local/bin
rm -f $TO_WHOM
exec < $ID_LIST
while read MSG_IDS REMAINDER
do
grep $MSG_IDS $MAILLOGS >> $TO_WHOM
done
########################################################################
#!/bin/bash
#
# gatherlogs.sh - Grabs yesterday's email logs
#
# This script relies on a second script on gateway to position the files
# properly on the server.
######### VARIABLES ############
DEPOSITDIR=/home/archived_logs
WEBFILENAME=localserver.maillog.` date +%Y%m%d`.gz
############ CODE ##############
cd $DEPOSITDIR
cp /var/log/maillog.1.gz $WEBFILENAME
########################################################################
Note: badgirl@charter.net is a ficticious person... juat a name I pulled out of the air. My apologies to the real badgirl@charter.net who is probably a fun loving person.
~~~~~~~~~~~~~~~~~~
What did bad girl do? Well, that's private, but let's just say that she worked in a business that provided her leads. Her job was to close these deals for the company. In return for making her life easier (nobody likes sales) badgirl and the company (where she works) shared a percentage of the deal. If she were to do this business on her own she would probably spend 80% of her time searching for leads and 20% closing deals. So the company is providing her with an way to get business... and the SHARE the commission.
Sadly, badgirl used the company to attract clients then did side deals. She kept her share and the companies share of the money. So basically, she is a thief. |
|
|
|
| Email Forensics - Who has user X been communicating with. | Login/Create an account | 0 Comments |
|
| | Comments are owned by the poster. We aren't responsible for their content. |
|
|
