Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Alert to detect email spoofing - Sender address and reply to address different

DDewarSplunk
New Member
‎01-23-2019 02:25 AM

Morning Splunk Gurus's, I wonder if you can solve a question I have?

If an email is sent to you and the senders email address has been spoofed, if you click reply the address changes to a fake email address. How do I monitor exchange logs to say if the "From" field in the email email is not the same as the "Return-path" field then alert me ?

X-Sender-Id - This is the real sender
The "Reply To" header is presented to the end-user but the actual reply goes to a field called "Return-Path"
Return Path: This field is what the mail server would use if the end-user chooses to reply to sender
From: This is address from someone you know \ trust, the email address of the impersonated sender.

I've been racking my brain trying to work this out, and would really appreciate any thoughts \ ideas you might have

Cheers
D

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-01-2020 02:26 AM

If you can find that information in the log, you can fix it.
In Smtp protocol, there is only sender and recipient.

the others is all data.

if you can see Reply To, you can detect email spoofing.
that's great.

0 Karma
Reply

davidc0805
New Member
‎03-01-2020 01:18 AM

I was wondering about this as well but want to add an exclusion list into it due to known emails that come in from certain teams that the return path is a team inbox so it will show as sent on behalf and replies go back to the team inbox so that any replies don't get dropped say when they are not at work. Have you had any luck with what you were trying.,Trying to figure this one out myself but throw a curve ball at it as well because I know some emails come into my environment using a email sent on behalf. So would have a listed of exclusions I would like to build into the alert. Have you had any luck figuring this out.

0 Karma
Reply

DDewarSplunk
New Member
‎01-23-2019 04:30 AM

Im thinking a eval and if command might work
To say if email field x is not the same as email field y then alert...any ideas ?

Many thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...