- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Alert to detect email spoofing - Sender addres...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alert to detect email spoofing - Sender address and reply to address different
Morning Splunk Gurus's, I wonder if you can solve a question I have?
If an email is sent to you and the senders email address has been spoofed, if you click reply the address changes to a fake email address. How do I monitor exchange logs to say if the "From" field in the email email is not the same as the "Return-path" field then alert me ?
X-Sender-Id - This is the real sender
The "Reply To" header is presented to the end-user but the actual reply goes to a field called "Return-Path"
Return Path: This field is what the mail server would use if the end-user chooses to reply to sender
From: This is address from someone you know \ trust, the email address of the impersonated sender.
I've been racking my brain trying to work this out, and would really appreciate any thoughts \ ideas you might have
Cheers
D
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can find that information in the log, you can fix it.
In Smtp protocol, there is only sender and recipient.
the others is all data.
if you can see Reply To, you can detect email spoofing.
that's great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was wondering about this as well but want to add an exclusion list into it due to known emails that come in from certain teams that the return path is a team inbox so it will show as sent on behalf and replies go back to the team inbox so that any replies don't get dropped say when they are not at work. Have you had any luck with what you were trying.,Trying to figure this one out myself but throw a curve ball at it as well because I know some emails come into my environment using a email sent on behalf. So would have a listed of exclusions I would like to build into the alert. Have you had any luck figuring this out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Im thinking a eval and if command might work
To say if email field x is not the same as email field y then alert...any ideas ?
Many thanks
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
