Reporting

Mail Tracking

bryansampsel
New Member

Here's the scenario: An email comes in from China to my mail server to a particular user. It could be SPAM. What I care about is if that user responds to the email, or I see that user send an email to China and China responds. I don't care about one-way mail, but where there appears to be a conversation.

Now, I can't simply match up with a simple "sender=.cn AND receiver=.cn" -- logic doesn't work. It's too simplistic. If I was scripting this in PERL, I'd build a list of senders and bounce the list of receivers against it.

Does anyone know a good way to effectively do the same thing in SPLUNK? It boils down to comparing all the "to" values against all the "from" values and generating my results from that. The particular log format (Sendmail, Postfix, etc) is irrelevant.

Any ideas are welcome.

Tags (1)
0 Karma

bryansampsel
New Member

True, that gives me the ability to figure out the country of origin. However, I was after the logic to do comparisons...SPLUNK hooked me up with a solution, but it's quite resource intensive.

Search:

index="ironmail" sourcetype="IronMail" from=".ru" [search index="ironmail" sourcetype="IronMail" to=".ru" | eval from=to | fields from] | append [search index="ironmail" sourcetype="IronMail" to=".ru" [search index="ironmail" sourcetype="IronMail" from=".ru" | eval to=from | fields to]] | table _time,source,ironmail_ip,mesgID,from,to,received_ip,routedomain

And that doesn't even include what you suggest, leveraging a whois server to identify the box, let alone GeoIP. With very small time windows, I can run this and effectively get what I'm after.

In truth, it's probably better to track email "conversations" from the logs of Exchange itself, to more effectively minimize the white noise of false matches.

Thanks for the feedback.

0 Karma

herculi
New Member

Hai, first you can find the ip address of the email. Next you can get the information about that ip address from sites. You can get easy ip finding steps at http://aruljohn.com/info/howtofindipaddress/. after getting ip address, you can get the whole details of the ip address at WhoisXY.com

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...