SUMMARY: Strangeness in mail

Rasana Atreya (atreya@library.ucsf.edu)
Thu, 03 Apr 1997 11:02:08 -0800

Sun Managers,

This is my original post.

> A "finger" to "xyz", who I know has not logged on for months shows that his
> mail was read on Feb. 6 at 1:15. This seems to be the case for all mail in
> /var/mail. It seems like a cron job updates the file's read/open time at
> around 1 AM. This wasn't happening before. I don't see anything obvious.
> Would you know why it does that?
>
> # finger xyz
> Login name: xyz In real life: X Y. Z
> Directory: /home/xyz Shell: /bin/csh
> Never logged in.
> Mail last read Wed Feb 5 01:15:22 1997
> No Plan.
>
> # ls -l /var/mail/xyz
> - - -rw------- 1 xyz issg 10709 Jun 7 1996 /var/mail/xyz

I still have not been able to figure out the problem! ;(

There were lots of good suggestions, though. Please see below.

Thanks a lot to everyone!

Rasana

---------------------------------------------------------------------------
From: Ian MacPhedran <Ian_MacPhedran@mackenzie.usask.ca>

Do you use tar or something similar to backup your files at about that
time? Note: dump shouldn't update this time.

(Use ls -lu to see the read time of the files.)

Ian.
---------------------------------------------------------------------------

From: Ric Anderson <ric@rtd.com>

On possibility is an automated (cron or "at") script that uses
tar to back up the mail areas.

You might try running "lastcomm" and grepping for the time in
question to see what was running then. You could also try
looking at /var/cron/log (for Solaris - no idea where SunOS 4.x
keeps this) to see what cron jobs started in that time frame.

Good Luck,
Ric (<ric@rtd.com> "Ric Anderson", using RTD's public internet access)
---------------------------------------------------------------------------
From: "Karl E. Vogel" <vogelke@c17mis.region2.wpafb.af.mil>

First thing is to see if any program on your system is sending a message to
every mailbox at the same time. This would also serve to update the
timestamps.

Next thing is to check all of your crontab files. I'm assuming Solaris, so
look under /var/spool/cron/crontabs and see if anything has been modified
recently.

---------------------------------------------------------------------------
From: "Trevor Paquette" <tpaquett@AEC.CA>

What time do backups kick in at? (full and incremental) Do your backups
actually copy the mail somewhere? This is where I's start looking. It is also
possible that someone is remote mounting your disks and reading files that way.
look at
/usr/sbin/showmount -a | grep EXPORTEDFILESYSTEM. See who has it remotely
mounted.

---------------------------------------------------------------------------
From: David Fetrow <fetrow@biostat.washington.edu>

Hmmm, we have a cron file to backup the mail on another disk
but it runs on a different machine. Perhaps that's going on there
as well?

---------------------------------------------------------------------------
From: Satish Somanath <satish@lvision.com>

A cron job runs around that time. Check by `crontab -l root` as root.

---------------------------------------------------------------------------
From: M.Toth-Abonyi@cc.u-szeged.hu (Toth-Abonyi Mihaly)

Dear Rasana,

Probably it is your daily archive process :-)

Regards,
Mihaly Toth-Abonyi
System administrator
Szeged, Hungary
---------------------------------------------------------------------------
From: vnarayan@haverford.edu (Vasantha Narayanan)

If you run a script that touches the files in the mail spool (example grep)
that will change the finger info because finger looks at ls -au, i.e., when
the file was last used to determine when the user last read mail.

Vasantha
---------------------------------------------------------------------------
From: Jay Lessert <jayl@latticesemi.com>

This sounds a little distressing. I can think of nothing "normal" that
would open everything in /var/mail for read. You probably need to pursue
this a little.

You can confirm the "last read" date with the -u flag to ls (ls -lu).
Check everything in /var/spool/cron/crontabs. If your /var/mail gets
nfs-mounted by clients, you need to double-check your automount
configuration and dfstab (and sharetab, while you're at it, I guess).
Hopefully it's something innocuous, but it looks suspicious.

---------------------------------------------------------------------------
From: John Reilly <dicey@REDBRICK.DCU.IE>

It sounds like a pop server is being used to read the mail.

John
---------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~ Rasana Atreya Voice: (415) 476-3623 ~
~ System Administrator Fax: (415) 476-4653 ~
~ Library & Ctr for Knowledge Mgmt, Univ. of California at San Francisco ~
~ 530 Parnassus Ave, Box 0840, San Francisco, CA 94143-0840 ~
~ atreya@library.ucsf.edu ~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~