Here's the scenario: An email comes in from China to my mail server to a particular user. It could be SPAM. What I care about is if that user responds to the email, or I see that user send an email to China and China responds. I don't care about one-way mail, but where there appears to be a conversation.
Now, I can't simply match up with a simple "sender=.cn AND receiver=.cn" -- logic doesn't work. It's too simplistic. If I was scripting this in PERL, I'd build a list of senders and bounce the list of receivers against it.
Does anyone know a good way to effectively do the same thing in SPLUNK? It boils down to comparing all the "to" values against all the "from" values and generating my results from that. The particular log format (Sendmail, Postfix, etc) is irrelevant.
Any ideas are welcome.
True, that gives me the ability to figure out the country of origin. However, I was after the logic to do comparisons...SPLUNK hooked me up with a solution, but it's quite resource intensive.
Search:
index="ironmail" sourcetype="IronMail" from=".ru" [search index="ironmail" sourcetype="IronMail" to=".ru" | eval from=to | fields from] | append [search index="ironmail" sourcetype="IronMail" to=".ru" [search index="ironmail" sourcetype="IronMail" from=".ru" | eval to=from | fields to]] | table _time,source,ironmail_ip,mesgID,from,to,received_ip,routedomain
And that doesn't even include what you suggest, leveraging a whois server to identify the box, let alone GeoIP. With very small time windows, I can run this and effectively get what I'm after.
In truth, it's probably better to track email "conversations" from the logs of Exchange itself, to more effectively minimize the white noise of false matches.
Thanks for the feedback.
Hai, first you can find the ip address of the email. Next you can get the information about that ip address from sites. You can get easy ip finding steps at http://aruljohn.com/info/howtofindipaddress/. after getting ip address, you can get the whole details of the ip address at WhoisXY.com