07-13-2018 01:04 AM
Good day to everyone!
I have such a case: I have to find out which users send email to ecober.com.
I have researched, but couldn't find any useful information.
Which filters should I use in monitor tab?
Thanks in advance!
07-13-2018 07:21 AM
Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record.
Hopefully that helps.
07-13-2018 06:53 AM
you can reach out to your local sales team and have them add your vote to Feature Request FR 1255
07-13-2018 07:21 AM
Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record.
Hopefully that helps.
07-13-2018 07:37 AM
Would it be possible to identify the recipient domain in a custom app by matching smtp-req-argument?
Then simply report on that application
07-15-2018 09:48 AM
07-15-2018 11:14 PM
Thank you all for your replies.
Yes, we made this report using our local mail server.
But, we can't filter other mail applications (like gmail, yahoo and etc.).
This is still an issue.
07-16-2018 03:47 AM
@Remo wrote:
(Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?)
FR1255 requests to add sender and receiver email address in the threat logs
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
