how to monitor web activity using domain name.

Reply
Highlighted

how to monitor web activity using domain name.

Good day to everyone!

I have such a case: I have to find out which users send email to ecober.com.

I have researched, but couldn't find any useful information.

Which filters should I use in monitor tab?

Thanks in advance!


Accepted Solutions
Highlighted
Cyber Elite

@AzerbaijanSupermarkets,

Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record. 

 

Hopefully that helps. 

View solution in original post


All Replies
Highlighted
L7 Applicator

you can reach out to your local sales team and have them add your vote to  Feature Request FR 1255

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Highlighted
Cyber Elite

@AzerbaijanSupermarkets,

Generally one would look up the MX records for ecober.com (currently 173.203.187.1 and 173.203.187.2) and then you could utilize that within your search. The issue that you'll run into however is that the user is likely going through a relay server and won't actually show as 'source-user x connected to 173.203.187.1' from the firewall. This is where logging on your email server or email gateway will have to be reviewed and you'll have to see which users actually sent emails to 'ecober.com' or the addresses recorded in their MX record. 

 

Hopefully that helps. 

View solution in original post

Highlighted
L4 Transporter

Would it be possible to identify the recipient domain in a custom app by matching smtp-req-argument?

Then simply report on that application

Highlighted
Cyber Elite

@AzerbaijanSupermarkets

As mentionned by @BPry, in my eyes this is a job for an email relay/gateway server, not really for a firewall.

 

(Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?)

Highlighted

Thank you all for your replies.

Yes, we made this report using our local mail server.

But, we can't filter other mail applications (like gmail, yahoo and etc.).

This is still an issue.

Highlighted
L7 Applicator


@vsys_remo wrote:
 

(Except maybe if FR 1255 sometimes will be implemented? @reaper: what exactly is this FR about? Logging of sender and receipient in smtp connections?)


 

FR1255 requests to add sender and receiver email address in the threat logs

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!