Help with search that detects spam sent with uniqu...

roopoo · ‎10-13-2022

Hi community,

I am trying to write a query that looks for bulk email (say >50) from a single sender to multiple recipients, that has a unique subject.

Sender	Recipient	Subject
bob @ scamm . com	alice @ mycompany .net	spam for alice
bob @ scamm . com	jane @ mycompany .net	spam for jane
bob @ scamm . com	fred @ mycompany .net	spam for fred

I can add this to my search:

| stats count by subject sender recipient | search count>50

but I just want to see results where the subjects are unique, but the sender is the same.

Ideally I'd like to have it spit out a table of the sender, subject(s) and recipient(s)

Thank you

roopoo · ‎10-13-2022

I think I have it worked out:

<my email query>
| dedup subject
| eventstats count by sender
| where count >10
| table _time, sender, recipient, subject
| sort - sender

I can run this over say an hour and detect what I want. If anyone can advise if this is the most efficient / best way to do this please let me know! Thanks

roopoo · ‎10-13-2022

Still thinking... If I go back to basics and | dedup the subject I get partially what I am after, however I want the sender count to be greater than 50 so I filter out noise. Am I on the right track here? Can I achieve this?

roopoo · ‎10-13-2022

Some more thoughts on this - I think I need to do a search for email received within a given time, say 5 minutes. This would be the spammer doing their spamming, which I think my above query covers off. Then I need to look within those results for the unique subjects, but the same sender. This is the part I am needing assistance with. I hope this makes sense! Thanks

Help with search that detects spam sent with unique subject?

stats

table

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?