Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert to detect email spoofing - Sender address and reply to address different

DDewarSplunk
New Member
‎01-23-2019 02:25 AM

Morning Splunk Gurus's, I wonder if you can solve a question I have?

If an email is sent to you and the senders email address has been spoofed, if you click reply the address changes to a fake email address. How do I monitor exchange logs to say if the "From" field in the email email is not the same as the "Return-path" field then alert me ?

X-Sender-Id - This is the real sender
The "Reply To" header is presented to the end-user but the actual reply goes to a field called "Return-Path"
Return Path: This field is what the mail server would use if the end-user chooses to reply to sender
From: This is address from someone you know \ trust, the email address of the impersonated sender.

I've been racking my brain trying to work this out, and would really appreciate any thoughts \ ideas you might have

Cheers
D

Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎03-01-2020 02:26 AM

If you can find that information in the log, you can fix it.
In Smtp protocol, there is only sender and recipient.

the others is all data.

if you can see Reply To, you can detect email spoofing.
that's great.

0 Karma
Reply

davidc0805
New Member
‎03-01-2020 01:18 AM

I was wondering about this as well but want to add an exclusion list into it due to known emails that come in from certain teams that the return path is a team inbox so it will show as sent on behalf and replies go back to the team inbox so that any replies don't get dropped say when they are not at work. Have you had any luck with what you were trying.,Trying to figure this one out myself but throw a curve ball at it as well because I know some emails come into my environment using a email sent on behalf. So would have a listed of exclusions I would like to build into the alert. Have you had any luck figuring this out.

0 Karma
Reply

DDewarSplunk
New Member
‎01-23-2019 04:30 AM

Im thinking a eval and if command might work
To say if email field x is not the same as email field y then alert...any ideas ?

Many thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...