Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Mail Tracking

bryansampsel
New Member
‎04-23-2012 03:30 PM

Here's the scenario: An email comes in from China to my mail server to a particular user. It could be SPAM. What I care about is if that user responds to the email, or I see that user send an email to China and China responds. I don't care about one-way mail, but where there appears to be a conversation.

Now, I can't simply match up with a simple "sender=.cn AND receiver=.cn" -- logic doesn't work. It's too simplistic. If I was scripting this in PERL, I'd build a list of senders and bounce the list of receivers against it.

Does anyone know a good way to effectively do the same thing in SPLUNK? It boils down to comparing all the "to" values against all the "from" values and generating my results from that. The particular log format (Sendmail, Postfix, etc) is irrelevant.

Any ideas are welcome.

Tags (1)
0 Karma
Reply

bryansampsel
New Member
‎08-30-2012 01:41 PM

True, that gives me the ability to figure out the country of origin. However, I was after the logic to do comparisons...SPLUNK hooked me up with a solution, but it's quite resource intensive.

Search:

index="ironmail" sourcetype="IronMail" from=".ru" [search index="ironmail" sourcetype="IronMail" to=".ru" | eval from=to | fields from] | append [search index="ironmail" sourcetype="IronMail" to=".ru" [search index="ironmail" sourcetype="IronMail" from=".ru" | eval to=from | fields to]] | table _time,source,ironmail_ip,mesgID,from,to,received_ip,routedomain

And that doesn't even include what you suggest, leveraging a whois server to identify the box, let alone GeoIP. With very small time windows, I can run this and effectively get what I'm after.

In truth, it's probably better to track email "conversations" from the logs of Exchange itself, to more effectively minimize the white noise of false matches.

Thanks for the feedback.

0 Karma
Reply

herculi
New Member
‎08-26-2012 10:50 PM

Hai, first you can find the ip address of the email. Next you can get the information about that ip address from sites. You can get easy ip finding steps at http://aruljohn.com/info/howtofindipaddress/. after getting ip address, you can get the whole details of the ip address at WhoisXY.com

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...