Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Mail Tracking

bryansampsel
New Member
‎04-23-2012 03:30 PM

Here's the scenario: An email comes in from China to my mail server to a particular user. It could be SPAM. What I care about is if that user responds to the email, or I see that user send an email to China and China responds. I don't care about one-way mail, but where there appears to be a conversation.

Now, I can't simply match up with a simple "sender=.cn AND receiver=.cn" -- logic doesn't work. It's too simplistic. If I was scripting this in PERL, I'd build a list of senders and bounce the list of receivers against it.

Does anyone know a good way to effectively do the same thing in SPLUNK? It boils down to comparing all the "to" values against all the "from" values and generating my results from that. The particular log format (Sendmail, Postfix, etc) is irrelevant.

Any ideas are welcome.

Tags (1)
0 Karma
Reply

bryansampsel
New Member
‎08-30-2012 01:41 PM

True, that gives me the ability to figure out the country of origin. However, I was after the logic to do comparisons...SPLUNK hooked me up with a solution, but it's quite resource intensive.

Search:

index="ironmail" sourcetype="IronMail" from=".ru" [search index="ironmail" sourcetype="IronMail" to=".ru" | eval from=to | fields from] | append [search index="ironmail" sourcetype="IronMail" to=".ru" [search index="ironmail" sourcetype="IronMail" from=".ru" | eval to=from | fields to]] | table _time,source,ironmail_ip,mesgID,from,to,received_ip,routedomain

And that doesn't even include what you suggest, leveraging a whois server to identify the box, let alone GeoIP. With very small time windows, I can run this and effectively get what I'm after.

In truth, it's probably better to track email "conversations" from the logs of Exchange itself, to more effectively minimize the white noise of false matches.

Thanks for the feedback.

0 Karma
Reply

herculi
New Member
‎08-26-2012 10:50 PM

Hai, first you can find the ip address of the email. Next you can get the information about that ip address from sites. You can get easy ip finding steps at http://aruljohn.com/info/howtofindipaddress/. after getting ip address, you can get the whole details of the ip address at WhoisXY.com

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...