2016-05-22 02:00 AM
Hi All,
We are getting multiple spoofed email so we are trying to build any of the following App rule/feed/watch list/ESA alert to monitor the same. Below is an example of what we are looking for,
If there is an email sent to our environment from Suresh Thanikachalam (sthanikachalam@companydomain) is fine but if it’s from Suresh Thanikachalam (sureshthanika@gmail.com) or Suresh Thanika (thanikasuresh@xyz.ae) we need to get an notification/alert so that we can monitor and block the sender.
In this case we have a set of uses names to be add as a feed or watch list so that it can trigger an alert if it’s not matching our actual domain, also kindly advise if this can be achieved in any other ways.
We are even ok if there is more of manual task(like updating regularly) need to archive this.
Thanks in advance
2016-05-23 05:32 AM
Hi
You havent said if this is packets or logs. However with packets, the email parser will split up the email into its component parts. if it's not currently being split if is it fairly simple to write a LUA parser that will taken an email address and split into components:
firstname.lastname@mydomain.com will be split into meta:
username - firstname.lastname
domain - mydomain.com
Once you have this you can use some app rules to tag valid email.
eg:
Write into the alert meta field "valid email name" when email exists and mydomain.com =myvaliddomain.com
Then you can write a report that will output a CSV file as a feed:
Something like
select username, alert where alert="valid email name"
This will output a list of usernames that are valid email addresses for your domain. The feed will look something like
john.doe,valid email name
jane.smith,valid email name
johnd,valid email name
The next step is to use this feed to tag all emails that come in.
Your meta callback key will be username.
Now, you can write another app rule that will trigger an alert for example
"Valid Email Name, Invalid Domain" with rule
alert="valid email name" and domain !="myvaliddomain.com"
2016-05-23 05:32 AM
Hi
You havent said if this is packets or logs. However with packets, the email parser will split up the email into its component parts. if it's not currently being split if is it fairly simple to write a LUA parser that will taken an email address and split into components:
firstname.lastname@mydomain.com will be split into meta:
username - firstname.lastname
domain - mydomain.com
Once you have this you can use some app rules to tag valid email.
eg:
Write into the alert meta field "valid email name" when email exists and mydomain.com =myvaliddomain.com
Then you can write a report that will output a CSV file as a feed:
Something like
select username, alert where alert="valid email name"
This will output a list of usernames that are valid email addresses for your domain. The feed will look something like
john.doe,valid email name
jane.smith,valid email name
johnd,valid email name
The next step is to use this feed to tag all emails that come in.
Your meta callback key will be username.
Now, you can write another app rule that will trigger an alert for example
"Valid Email Name, Invalid Domain" with rule
alert="valid email name" and domain !="myvaliddomain.com"
2016-05-23 06:37 AM
Thanks for your response,
It is logs & packets. We will try this and will get back with the output.