Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

Professional Opinions
Ask a Question
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

troubleshooting Question

Help with shell script to count logins from different IPs (to same account) in exim_mainlog.

Avatar of ujoe
ujoe asked on
Apache Web ServerWeb ServersShell Scripting
11 Comments1 Solution1069 ViewsLast Modified:
I can figure out parts of this, but am having a difficult time putting it all together.

Here's the scenario:

This is a Redhat Linux server running a newer version of exim, with WHM/cPanel. I am the administrator with full root/shell access.

The exim_mainlog file contains multiple logins to the same email account from different IP addresses. This is an indication that the email user's password has been stolen and is being used to broadcast spam, depending of course on the number of different IP addresses logging in, within a short period of time. Here is a short example list of entries, just to illustrate this situation:

2012-03-10 16:31:19 1S6Uoo-0002d2-17 <= sales@customerdomain.com.au H=(customerdomain.com.au) [] P=esmtpa A=courier_login:sales@customerdomain.com.au S=830
2012-03-10 16:31:24 1S6Uor-0002cc-V2 <= sales@customerdomain.com.au H=(customerdomain.com.au) [] P=esmtpa A=courier_login:sales@customerdomain.com.au S=838
2012-03-10 16:31:27 1S6Uov-0002e3-KX <= sales@customerdomain.com.au H=(customerdomain.com.au) [] P=esmtpa A=courier_login:sales@customerdomain.com.au S=839

Of course, these entries would be more numerous and mixed in with many other logins to many other email accounts on the server.

What I need to come up with is a shell script that counts the number of DIFFERENT IPs logging into the same account, e.g. within a tail of something like the last 100 entries.

I've found this line, which works great to count the number of exim logins per account:
egrep -o 'login[^ ]+' /var/log/exim_mainlog | sort|uniq -c|sort -nk 1

... and I can even get it to work for the last 100 entires, like this:
egrep -o 'login[^ ]+' /var/log/exim_mainlog | tail -100 | sort|uniq -c|sort -nk 1

But what I need is output that tells me how many DIFFERENT IPs have logged in to that account.

In other words, what I get from the script lines above is output like this:

     14 login:cccc@domainuber.com
     15 login:aaaa@domainlanka.com
     15 login:dddd@domaingreat.com

The leading number indicates the number of logins to each account.

But what I need to see instead is output something like the following:

14   2     login:jbs+domainuber.com
15   1     login:cmesa@domainlanka.com
15   12   login:rjc@domaingreat.com

... where the second number in each entry indicates the number of different IPs involved with the logins for each specific account.

I have also tried to work this out in a "for" loop, e.g.

for i in `egrep -o 'login[^ ]+' /var/log/exim_mainlog | tail -100 | sort|uniq -c|sort -nk 1 | awk '{print $1}'`
if [ $i -gt 12 ]
echo $i

Trying to establish 12 as a maximum threshold, but with this I am getting even less info than before, certainly not the number of DIFFERENT IP addresses logging into each account.

Any help would be greatly appreciated.

Avatar of simon3270
simon3270Flag of United Kingdom of Great Britain and Northern Ireland image

Our community of experts have been thoroughly vetted for their expertise and industry experience.

This problem has been solved!
Unlock 1 Answer and 11 Comments.
See Answers