Query MX records or lookup MX records?

tristanrhys · ‎04-17-2013

Hey Guys,

We host an intermediate email greylister for our clients.

We also log all inbound attachments, and generate reports from that.

I need to show essentially the source mail-server for these attachments.

However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.

I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?

For the record, here are our postfix logging config for header_checks:

/^Content-(Disposition|Type).name\s=\s*?(.(.|=2E)(.))/ WARN AttachmentFound: "$2"

Any help would be appreciated.

mhale1982 · ‎04-17-2013

You should be able to do it with the script-based lookup:

Something as simple as a bash script with nslookup/dig would do the trick.

mhale1982 · ‎04-18-2013

Exactly. Just make sure that your python script only returns a single MX record and nothing else and you should be good to go.

tristanrhys · ‎04-17-2013

Hi mhale1982,

That looks pretty much spot on.

So I will have to create a python script that will grab the MX record? As long as that is the case, the rest should be quite easy. Thanks.