Splunk Search

Searching for possible spam

zabarai
Engager

Hi,
I'm trying to come up with a search that would help identify spam.

It would have to look at sender domain and count recipients.
In other words if a particular domain is sending n- messages to multipole recipients inhouse, within a particualar time frame, i'd like to be alerted or be able to search for this activity.
Any help would be greatly appreciated.

Tags (1)
0 Karma

neelamsantosh
Path Finder

Mostly spam comes from eMails in my case we are using,

index=mail [search index=* attach*|fields message_id ] | rex field=_raw "(?im)ATTACH|(?P.+)" | rex field=_raw "(?im)ATTACHFILTER|(?P.+)" |rex "(?im)IRCPTACTION|(?P.+)"|rex "(?im)SENDER|(?P.+)"| rex "(?im)IRCPTACTION|(?P\w+@\w+.\w+)|(?P\w+)" | stats count values(suspicious_file) as suspicious_file values(malicious_sender) as malicious_sender values(recipient_user) as recipient values(_raw) values(action) as action by message_id _time | sort - count| search action=deliver|table message_id _time malicious_sender suspicious_file recipient

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Other than running proper spam detection such as spam assassin and splunking its results, you could do your approach by setting up an alert triggered by something like this:

search for mails going to inhouse recipients | stats count by sender_domain | where count > n

The exact search depends on your data.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...