Re: "proving" a user received an email (good gosh)

From: Peter Peters (P.G.M.Peters@civ.utwente.nl)
Date: 06/24/02 

From: Peter Peters <P.G.M.Peters@civ.utwente.nl>
Date: Mon, 24 Jun 2002 09:44:34 +0200

On 23 Jun 2002 23:45:03 -0700, rut@linuxmail.org (gaius.petronius)
wrote:

>exhibit A
>maillog:
>Jun 22 23:47:31 swm sendmail[5517]: g5MFlUu05517:
>from=<sender@address>, size=5988, class=0, nrcpts=2,
>msgid=<4778858448D8547D4A54BCC6118467D@>, proto=ESMTP, daemon=MTA
>
>i also see in
>exhibit B
>maillog:
>Jun 22 23:47:31 swm sendmail[5518]: g5MFlUu05517: to=<BigLiar>,
>delay=00:00:00, xdelay=00:00:00, mailer=local, pri=65536, dsn=2.0.0,
>stat=Sent
>maillog:Jun 22 23:47:31 swm sendmail[5518]: g5MFlUu05517:
>to=<AngryBOSS>, delay=00:00:00, xdelay=00:00:00, mailer=local,
>pri=65536, dsn=2.0.0, stat=Sent
>
>My question is, although i know that this 22:23:47:31 is most probably
>the mail in question, how can i link it to the message id
>78858448D8547D4A54BCC6118467D@ ??

They all have the same queue indication: g5MFlUu05517

Exhibit A shows the mail from sender@address is saved in queue entry
g5MFlUu05517 and exhibit B shows it is delivered from queue entry
g5MFlUu05517 to BigLiar and AngryBOSS.

>This is probably more a security or forensics question.
>is there a way to tune the logs to report the message id of the email
>when the user logs in and receives?

You will have to change the code of the POP daemon to log the extra
information (if available). 

-- 
Peter Peters
senior netwerkbeheerder,  Centrum voor Informatievoorziening, 
Universiteit Twente,   Postbus 217,  7500 AE  Enschede
telefoon: +31 53 489 2301, fax:+31 53 489 2383, http://www.utwente.nl/civ

Relevant Pages