https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425328#M173463 <P>Im thinking a eval and if command might work<BR /> To say if email field x is not the same as email field y then alert...any ideas ?</P> <P>Many thanks</P> Wed, 23 Jan 2019 12:30:02 GMT DDewarSplunk 2019-01-23T12:30:02Z https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425327#M173462 <P>Morning Splunk Gurus's, I wonder if you can solve a question I have?</P> <P>If an email is sent to you and the senders email address has been spoofed, if you click reply the address changes to a fake email address. How do I monitor exchange logs to say if the "From" field in the email email is not the same as the "Return-path" field then alert me ?</P> <P>X-Sender-Id - This is the real sender<BR /> The "Reply To" header is presented to the end-user but the actual reply goes to a field called "Return-Path" <BR /> Return Path: This field is what the mail server would use if the end-user chooses to reply to sender<BR /> From: This is address from someone you know \ trust, the email address of the impersonated sender.</P> <P>I've been racking my brain trying to work this out, and would really appreciate any thoughts \ ideas you might have</P> <P>Cheers<BR /> D</P> Wed, 23 Jan 2019 10:25:14 GMT https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425327#M173462 DDewarSplunk 2019-01-23T10:25:14Z https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425328#M173463 <P>Im thinking a eval and if command might work<BR /> To say if email field x is not the same as email field y then alert...any ideas ?</P> <P>Many thanks</P> Wed, 23 Jan 2019 12:30:02 GMT https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425328#M173463 DDewarSplunk 2019-01-23T12:30:02Z https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425329#M173464 <P>I was wondering about this as well but want to add an exclusion list into it due to known emails that come in from certain teams that the return path is a team inbox so it will show as sent on behalf and replies go back to the team inbox so that any replies don't get dropped say when they are not at work. Have you had any luck with what you were trying.,Trying to figure this one out myself but throw a curve ball at it as well because I know some emails come into my environment using a email sent on behalf. So would have a listed of exclusions I would like to build into the alert. Have you had any luck figuring this out.</P> Sun, 01 Mar 2020 09:18:37 GMT https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425329#M173464 davidc0805 2020-03-01T09:18:37Z https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425330#M173465 <P>If you can find that information in the log, you can fix it.<BR /> In Smtp protocol, there is only sender and recipient.</P> <P>the others is all <CODE>data</CODE>. </P> <P>if you can see <CODE>Reply To</CODE>, you can detect email spoofing.<BR /> that's great.</P> Sun, 01 Mar 2020 10:26:05 GMT https://community.splunk.com/t5/Splunk-Search/Alert-to-detect-email-spoofing-Sender-address-and-reply-to/m-p/425330#M173465 to4kawa 2020-03-01T10:26:05Z