#! /opt/imh-python/bin/python3

[0] Fix | Delete

''' List sources of email sent by address and directory. '''

[1] Fix | Delete

[2] Fix | Delete

import os

[3] Fix | Delete

import sys

[4] Fix | Delete

import re

[5] Fix | Delete

import glob

[6] Fix | Delete

import gzip

[7] Fix | Delete

import datetime

[8] Fix | Delete

from collections import defaultdict

[9] Fix | Delete

from argparse import ArgumentParser

[10] Fix | Delete

[11] Fix | Delete

__author__ = "Daniel K"

[12] Fix | Delete

__email__ = "danielk@inmotionhosting.com"

[13] Fix | Delete

[14] Fix | Delete

[15] Fix | Delete

def email_lines(all_logs=False):

[16] Fix | Delete

'''Return iterable over email log lines'''

[17] Fix | Delete

[18] Fix | Delete

log_list = []

[19] Fix | Delete

[20] Fix | Delete

if all_logs:

[21] Fix | Delete

log_list = glob.glob('/var/log/exim_mainlog?*')

[22] Fix | Delete

[23] Fix | Delete

for log_file in log_list:

[24] Fix | Delete

[25] Fix | Delete

if not os.path.exists(log_file):

[26] Fix | Delete

print(f"Could not find log file: {log_file}")

[27] Fix | Delete

sys.exit(1)

[28] Fix | Delete

[29] Fix | Delete

with gzip.open(log_file, 'r') as mail_log:

[30] Fix | Delete

try:

[31] Fix | Delete

yield from mail_log

[32] Fix | Delete

except OSError as error:

[33] Fix | Delete

print(f"Error reading file '{log_file}': {error}")

[34] Fix | Delete

sys.exit(1)

[35] Fix | Delete

[36] Fix | Delete

log_file = "/var/log/exim_mainlog"

[37] Fix | Delete

[38] Fix | Delete

if not os.path.exists(log_file):

[39] Fix | Delete

print(f"Could not find log file: {log_file}")

[40] Fix | Delete

sys.exit(1)

[41] Fix | Delete

[42] Fix | Delete

with open(log_file, encoding='utf-8') as mail_log:

[43] Fix | Delete

try:

[44] Fix | Delete

yield from mail_log

[45] Fix | Delete

except OSError:

[46] Fix | Delete

print(f"Error reading file {log_file}")

[47] Fix | Delete

sys.exit(1)

[48] Fix | Delete

except UnicodeDecodeError as e:

[49] Fix | Delete

print(f"Received decoding error for {log_file}:")

[50] Fix | Delete

print(f"{e}")

[51] Fix | Delete

print("continuing...")

[52] Fix | Delete

[53] Fix | Delete

[54] Fix | Delete

def get_domains(username=''):

[55] Fix | Delete

'''Get domain regex for username'''

[56] Fix | Delete

[57] Fix | Delete

if username == '':

[58] Fix | Delete

return r'[^@ ]+'

[59] Fix | Delete

[60] Fix | Delete

domain_list = []

[61] Fix | Delete

[62] Fix | Delete

user_file = f"/var/cpanel/users/{username}"

[63] Fix | Delete

[64] Fix | Delete

if not os.path.exists(user_file):

[65] Fix | Delete

print(

[66] Fix | Delete

"Could not find domains for {}. "

[67] Fix | Delete

"Invalid cPanel user? Cannot find {}".format(username, user_file)

[68] Fix | Delete

)

[69] Fix | Delete

sys.exit(1)

[70] Fix | Delete

[71] Fix | Delete

dns_rx = re.compile(r"^DNS[0-9]*=(.*)$")

[72] Fix | Delete

[73] Fix | Delete

with open(user_file, encoding='utf-8') as mail_log:

[74] Fix | Delete

try:

[75] Fix | Delete

for line in mail_log:

[76] Fix | Delete

dns_match = dns_rx.search(line)

[77] Fix | Delete

if dns_match is not None:

[78] Fix | Delete

domain_list.append(dns_match.groups(1)[0])

[79] Fix | Delete

except OSError as error:

[80] Fix | Delete

print(f"Error reading file '{user_file}': {error}")

[81] Fix | Delete

sys.exit(1)

[82] Fix | Delete

[83] Fix | Delete

return '|'.join(domain_list)

[84] Fix | Delete

[85] Fix | Delete

[86] Fix | Delete

def get_sources(all_logs=False, username='', time=''):

[87] Fix | Delete

'''Returns touple of dicts of email sources'''

[88] Fix | Delete

[89] Fix | Delete

email_logins = defaultdict(int)

[90] Fix | Delete

working_directories = defaultdict(int)

[91] Fix | Delete

spoofing = defaultdict(int)

[92] Fix | Delete

[93] Fix | Delete

domains = get_domains(username)

[94] Fix | Delete

[95] Fix | Delete

if time == '':

[96] Fix | Delete

date = ''

[97] Fix | Delete

duration = 0

[98] Fix | Delete

elif '-' in str(time):

[99] Fix | Delete

date = time

[100] Fix | Delete

duration = 0

[101] Fix | Delete

else:

[102] Fix | Delete

assert isinstance(time, int), "Time is not date or number"

[103] Fix | Delete

date = ''

[104] Fix | Delete

duration = int(time)

[105] Fix | Delete

target = datetime.datetime.now()

[106] Fix | Delete

[107] Fix | Delete

datetime_rx = re.compile(r'\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}')

[108] Fix | Delete

login_rx = re.compile(

[109] Fix | Delete

r'(courier|dovecot)_(plain|login):(?P<login>[^@ ]+(@(?P<domain>{}))?) '

[110] Fix | Delete

r'.*for (?P<for>.*)$'.format(domains)

[111] Fix | Delete

)

[112] Fix | Delete

spoofing_rx = re.compile(

[113] Fix | Delete

r'<= (?P<sender>[^@]*@[^@ ]+)'

[114] Fix | Delete

r'.*(courier|dovecot)_(plain|login):'

[115] Fix | Delete

r'(?P<login>(?!(?P=sender))[^@ ]+(@(?P<sdom>{}))?)'

[116] Fix | Delete

r'.*for (?P<for>.*)$'.format(domains)

[117] Fix | Delete

)

[118] Fix | Delete

directory_rx = re.compile(fr'cwd=(?P<directory>/home/{username}[^ ]*)')

[119] Fix | Delete

[120] Fix | Delete

for line in email_lines(all_logs):

[121] Fix | Delete

if date != '' and not line.startswith(date):

[122] Fix | Delete

continue

[123] Fix | Delete

[124] Fix | Delete

if not datetime_rx.match(line):

[125] Fix | Delete

continue

[126] Fix | Delete

[127] Fix | Delete

# If duration is set, skip any lines not within that duration

[128] Fix | Delete

if duration > 0 and not (

[129] Fix | Delete

duration

[130] Fix | Delete

> (

[131] Fix | Delete

target

[132] Fix | Delete

- datetime.datetime.strptime(line[:19], "%Y-%m-%d %H:%M:%S")

[133] Fix | Delete

).total_seconds()

[134] Fix | Delete

):

[135] Fix | Delete

continue

[136] Fix | Delete

[137] Fix | Delete

rx_match = spoofing_rx.search(line.lower())

[138] Fix | Delete

if rx_match:

[139] Fix | Delete

logged_in = "{} as {}".format(

[140] Fix | Delete

rx_match.group('login'), rx_match.group('sender')

[141] Fix | Delete

)

[142] Fix | Delete

spoofing[logged_in] = spoofing[logged_in] + len(

[143] Fix | Delete

rx_match.group('for').split()

[144] Fix | Delete

)

[145] Fix | Delete

[146] Fix | Delete

rx_match = login_rx.search(line.lower())

[147] Fix | Delete

if rx_match:

[148] Fix | Delete

address = rx_match.group('login')

[149] Fix | Delete

email_logins[address] = email_logins[address] + len(

[150] Fix | Delete

rx_match.group('for').split()

[151] Fix | Delete

)

[152] Fix | Delete

continue

[153] Fix | Delete

[154] Fix | Delete

rx_match = directory_rx.search(line)

[155] Fix | Delete

if rx_match:

[156] Fix | Delete

directory = rx_match.group('directory')

[157] Fix | Delete

if '/usr/local/cpanel/' in directory:

[158] Fix | Delete

continue

[159] Fix | Delete

working_directories[directory] = working_directories[directory] + 1

[160] Fix | Delete

continue

[161] Fix | Delete

[162] Fix | Delete

return (email_logins, working_directories, spoofing)

[163] Fix | Delete

[164] Fix | Delete

[165] Fix | Delete

def print_sorted_dict(dictionary):

[166] Fix | Delete

'''Print a dictionary sorted by values'''

[167] Fix | Delete

[168] Fix | Delete

for value in sorted(dictionary, key=dictionary.get):

[169] Fix | Delete

print(f"{dictionary[value]:>7}\t{value}")

[170] Fix | Delete

[171] Fix | Delete

[172] Fix | Delete

def parse_args():

[173] Fix | Delete

'''Parse command line aruments'''

[174] Fix | Delete

[175] Fix | Delete

parser = ArgumentParser(description=__doc__)

[176] Fix | Delete

[177] Fix | Delete

parser.add_argument(

[178] Fix | Delete

"-a",

[179] Fix | Delete

"--all",

[180] Fix | Delete

action='store_true',

[181] Fix | Delete

help="Search all email logs, rather than only the recent log.",

[182] Fix | Delete

)

[183] Fix | Delete

[184] Fix | Delete

parser.add_argument(

[185] Fix | Delete

'username',

[186] Fix | Delete

metavar='USER',

[187] Fix | Delete

type=str,

[188] Fix | Delete

nargs='?',

[189] Fix | Delete

help="Search for only email from a specific cPanel account",

[190] Fix | Delete

)

[191] Fix | Delete

[192] Fix | Delete

time_group = parser.add_mutually_exclusive_group()

[193] Fix | Delete

[194] Fix | Delete

time_group.add_argument(

[195] Fix | Delete

"-d",

[196] Fix | Delete

"--date",

[197] Fix | Delete

action='store',

[198] Fix | Delete

type=str,

[199] Fix | Delete

default='',

[200] Fix | Delete

help=(

[201] Fix | Delete

"Search for entries from a certain date. "

[202] Fix | Delete

"Must be in the format of YYYY-MM-DD."

[203] Fix | Delete

),

[204] Fix | Delete

)

[205] Fix | Delete

[206] Fix | Delete

time_group.add_argument(

[207] Fix | Delete

"-s",

[208] Fix | Delete

"--seconds",

[209] Fix | Delete

action='store',

[210] Fix | Delete

type=int,

[211] Fix | Delete

default=0,

[212] Fix | Delete

help=(

[213] Fix | Delete

"Search entries which were made within the specified "

[214] Fix | Delete

"number of seconds. Overrides --all."

[215] Fix | Delete

),

[216] Fix | Delete

)

[217] Fix | Delete

[218] Fix | Delete

time_group.add_argument(

[219] Fix | Delete

"-r",

[220] Fix | Delete

"--recent",

[221] Fix | Delete

action='store_true',

[222] Fix | Delete

help=(

[223] Fix | Delete

"Search recent entries, from the last hour. "

[224] Fix | Delete

"This is the same as -s 3600. Also overrides --all"

[225] Fix | Delete

),

[226] Fix | Delete

)

[227] Fix | Delete

[228] Fix | Delete

args = parser.parse_args()

[229] Fix | Delete

[230] Fix | Delete

all_logs = args.all

[231] Fix | Delete

[232] Fix | Delete

if args.username is None:

[233] Fix | Delete

username = ''

[234] Fix | Delete

else:

[235] Fix | Delete

username = args.username

[236] Fix | Delete

[237] Fix | Delete

date_rx = re.compile(r"\d{4}-\d{2}-\d{2}")

[238] Fix | Delete

[239] Fix | Delete

if args.recent:

[240] Fix | Delete

time = 3600

[241] Fix | Delete

all_logs = False

[242] Fix | Delete

elif args.date != '':

[243] Fix | Delete

if not date_rx.match(args.date):

[244] Fix | Delete

print(f"Date is not in the correct format: {args.date}")

[245] Fix | Delete

sys.exit(1)

[246] Fix | Delete

time = args.date

[247] Fix | Delete

elif args.seconds > 0:

[248] Fix | Delete

time = args.seconds

[249] Fix | Delete

all_logs = False

[250] Fix | Delete

else:

[251] Fix | Delete

time = ''

[252] Fix | Delete

[253] Fix | Delete

return all_logs, username, time

[254] Fix | Delete

[255] Fix | Delete

[256] Fix | Delete

def main():

[257] Fix | Delete

'''Main function for script'''

[258] Fix | Delete

[259] Fix | Delete

(all_logs, username, time) = parse_args()

[260] Fix | Delete

[261] Fix | Delete

(email_logins, working_directories, spoofing) = get_sources(

[262] Fix | Delete

all_logs, username, time

[263] Fix | Delete

)

[264] Fix | Delete

[265] Fix | Delete

print("Email Logins:")

[266] Fix | Delete

print_sorted_dict(email_logins)

[267] Fix | Delete

[268] Fix | Delete

print("\nSource directories:")

[269] Fix | Delete

print_sorted_dict(working_directories)

[270] Fix | Delete

[271] Fix | Delete

print("\nPossibly spoofed emails:")

[272] Fix | Delete

if not len(spoofing) == 0:

[273] Fix | Delete

print_sorted_dict(spoofing)

[274] Fix | Delete

else:

[275] Fix | Delete

print("\tNo obvious spoofs found")

[276] Fix | Delete

[277] Fix | Delete

[278] Fix | Delete

if __name__ == "__main__":

[279] Fix | Delete

main()

[280] Fix | Delete

[281] Fix | Delete