-
Notifications
You must be signed in to change notification settings - Fork 5
Alerting based on Possible Outbound Spamming
David Hoelzer edited this page Mar 12, 2015
·
1 revision
Here's another awesome example. This time we're looking to see if we have outbound email that's destined for a large number of recipients and calling out the sender. In this example we also have a caveat; there are sometimes internal system emails generated that do not have a sender. The script watches for and ignores these. Note the simplicity!
timeframe = 1.hours.ago
relevant_events = Event.search("qmgr from", timeframe,0,10000000)
relevant_events.each do |event|
eventString =event.inspect.to_s
words = eventString.split(' ')
recipients = (words[28] == "nrcpt" ? words[30].to_i : 0) # internal blank recipient emails happen
if recipients>5 then
criticality = ( recipients < 10 ? 1 : recipients < 20 ? 2 : recipients < 30 ? 4 : 5)
Alert.genericAlert(system_id: event.system_id, description: "#{words[19]} sent a single email to #{recipients} users.", short_description: "Suspicious user activity - Large number of recipients #{words[19]}", criticality: criticality, events: [event])
end
end