Deployment Architecture

Query MX records or lookup MX records?

tristanrhys
New Member

Hey Guys,

We host an intermediate email greylister for our clients.

We also log all inbound attachments, and generate reports from that.

I need to show essentially the source mail-server for these attachments.

However, our postfix logs only log the last hop, which is our greylister. Therefore, all attachment logs appear to come from our greylister.

I am wondering if splunk can query MX records from an email address, convert that to an IP which I can then geoip?

For the record, here are our postfix logging config for header_checks:

/^Content-(Disposition|Type).name\s=\s*?(.(.|=2E)(.))/ WARN AttachmentFound: "$2"

Any help would be appreciated.

0 Karma

mhale1982
Path Finder

You should be able to do it with the script-based lookup:

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

Something as simple as a bash script with nslookup/dig would do the trick.

0 Karma

mhale1982
Path Finder

Exactly. Just make sure that your python script only returns a single MX record and nothing else and you should be good to go.

0 Karma

tristanrhys
New Member

Hi mhale1982,

That looks pretty much spot on.

So I will have to create a python script that will grab the MX record? As long as that is the case, the rest should be quite easy. Thanks.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...