We are ingesting some of our email logs, and one of the fields is 'Subject'.
I was wondering if anyone has created a search that looks for potential SPAM IOC via the following methods:
1) Character count - I'd like to create a search that creates buckets that shows a count of Subject length of 1-10, 11-20, 21-30, etc)
2) Number of special characters in the Subject field - once again create a search for the count of buckets from 1-3, 4-6, etc., or even the number of special characters in a row, such as two or ,more (!!, !!!, etc.).
Not limited to those two ideas of course, but would appreciate any feedback.
As a further refinement to this, is it possible in Splunk to weight evals, such as if a user sends or receives an email with a Subject over 200 characters in length, a weight or rating of 5 is assigned, if the recipient list is greater than 10 people a weight or rating of 5 is assigned, and so on so users with a higher weight/rating bubble up to the top of the report.
Are you looking for how to implement your ideas or confirmation on your ideas as appropriate for helping find spam?
Looking for ideas on how to implement if possible (as I would think others have tackled this before)
1: Like this:
... | eval SubjectLen=length(Subject) | bucket SubjectLen span=10
2: Like this:
... | eval SubjectLen=length(Subject) | eval SubjectCopy=Subject | rex field=SubjectCopy mode=sed "s/[ListOfSpecialCharactersHere]//g" | eval specialCharCount = SubjectLen - length(SubjectCopy) | field - SubjectCopy