how to monitor web activity using domain name.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

how to monitor web activity using domain name.

Good day to everyone!

I have such a case: I have to find out which users send email to ecober.com.

I have researched, but couldn't find any useful information.

Which filters should I use in monitor tab?

Thanks in advance!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@AzerbaijanSupermarkets,

Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record. 

 

Hopefully that helps. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

you can reach out to your local sales team and have them add your vote to  Feature Request FR 1255

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Cyber Elite
Cyber Elite

@AzerbaijanSupermarkets,

Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record. 

 

Hopefully that helps. 

Would it be possible to identify the recipient domain in a custom app by matching smtp-req-argument?

Then simply report on that application

@AzerbaijanSupermarkets

As mentionned by @BPry, in my eyes this is a job for an email relay/gateway server, not really for a firewall.

 

(Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?)

Thank you all for your replies.

Yes, we made this report using our local mail server.

But, we can't filter other mail applications (like gmail, yahoo and etc.).

This is still an issue.


@Remo wrote:
 

(Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?)


 

FR1255 requests to add sender and receiver email address in the threat logs

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 2592 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!