Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Re: Mail Tracking
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mail Tracking
Here's the scenario: An email comes in from China to my mail server to a particular user. It could be SPAM. What I care about is if that user responds to the email, or I see that user send an email to China and China responds. I don't care about one-way mail, but where there appears to be a conversation.
Now, I can't simply match up with a simple "sender=.cn AND receiver=.cn" -- logic doesn't work. It's too simplistic. If I was scripting this in PERL, I'd build a list of senders and bounce the list of receivers against it.
Does anyone know a good way to effectively do the same thing in SPLUNK? It boils down to comparing all the "to" values against all the "from" values and generating my results from that. The particular log format (Sendmail, Postfix, etc) is irrelevant.
Any ideas are welcome.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True, that gives me the ability to figure out the country of origin. However, I was after the logic to do comparisons...SPLUNK hooked me up with a solution, but it's quite resource intensive.
Search:
index="ironmail" sourcetype="IronMail" from=".ru" [search index="ironmail" sourcetype="IronMail" to=".ru" | eval from=to | fields from] | append [search index="ironmail" sourcetype="IronMail" to=".ru" [search index="ironmail" sourcetype="IronMail" from=".ru" | eval to=from | fields to]] | table _time,source,ironmail_ip,mesgID,from,to,received_ip,routedomain
And that doesn't even include what you suggest, leveraging a whois server to identify the box, let alone GeoIP. With very small time windows, I can run this and effectively get what I'm after.
In truth, it's probably better to track email "conversations" from the logs of Exchange itself, to more effectively minimize the white noise of false matches.
Thanks for the feedback.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hai, first you can find the ip address of the email. Next you can get the information about that ip address from sites. You can get easy ip finding steps at http://aruljohn.com/info/howtofindipaddress/. after getting ip address, you can get the whole details of the ip address at WhoisXY.com
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Unlocking Unified Insights: New Gigamon Federated Search App for Splunk
GA: New Data Management App in Splunk Platform
Announcing Modern Navigation: A New Era of Splunk User Experience
