Deployment Architecture

Query MX records or lookup MX records?

tristanrhys
New Member

Hey Guys,

We host an intermediate email greylister for our clients.

We also log all inbound attachments, and generate reports from that.

I need to show essentially the source mail-server for these attachments.

However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.

I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?

For the record, here are our postfix logging config for header_checks:

/^Content-(Disposition|Type).name\s=\s*?(.(.|=2E)(.))/ WARN AttachmentFound: "$2"

Any help would be appreciated.

0 Karma

mhale1982
Path Finder

You should be able to do it with the script-based lookup:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

Something as simple as a bash script with nslookup/dig would do the trick.

0 Karma

mhale1982
Path Finder

Exactly. Just make sure that your python script only returns a single MX record and nothing else and you should be good to go.

0 Karma

tristanrhys
New Member

Hi mhale1982,

That looks pretty much spot on.

So I will have to create a python script that will grab the MX record? As long as that is the case, the rest should be quite easy. Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...