Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searching for possible spam

zabarai
Engager
‎04-01-2013 07:52 AM

Hi,
I'm trying to come up with a search that would help identify spam.

It would have to look at sender domain and count recipients.
In other words if a particular domain is sending n- messages to multipole recipients inhouse, within a particualar time frame, i'd like to be alerted or be able to search for this activity.
Any help would be greatly appreciated.

Tags (1)
0 Karma
Reply

neelamsantosh
Path Finder
‎08-03-2016 11:52 PM

Mostly spam comes from eMails in my case we are using,

index=mail [search index=* attach*|fields message_id ] | rex field=_raw "(?im)ATTACH|(?P.+)" | rex field=_raw "(?im)ATTACHFILTER|(?P.+)" |rex "(?im)IRCPTACTION|(?P.+)"|rex "(?im)SENDER|(?P.+)"| rex "(?im)IRCPTACTION|(?P\w+@\w+.\w+)|(?P\w+)" | stats count values(suspicious_file) as suspicious_file values(malicious_sender) as malicious_sender values(recipient_user) as recipient values(_raw) values(action) as action by message_id _time | sort - count| search action=deliver|table message_id _time malicious_sender suspicious_file recipient

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-01-2013 08:41 AM

Other than running proper spam detection such as spam assassin and splunking its results, you could do your approach by setting up an alert triggered by something like this:

search for mails going to inhouse recipients | stats count by sender_domain | where count > n

The exact search depends on your data.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...