02-20-2019 08:43 AM - edited 04-12-2024 01:14 PM
Hello Forum,
We have observed on Splunk that a user is sending emails from his own organizational mail address to himself (same mail address). there are 44 emails triggered in a time span of 5 mins and we monitor the traffic in Splunk through cisco ironport.
When we checked with the user, the user is not aware about any such transactions. What could be the possible reason that these mails are getting triggered and delivered from the same id and to the same id. We have checked the internal message id and it is different for all the cases which means there are 44 emails triggered. Can anyone please help us understand the reason behind this.
Thanks and Regards,
Napster
Solved! Go to Solution.
02-20-2019 09:12 AM
Hi,
I am not sure about your email and network security setup. But I can guide you with some basic guides which will help you that these emails are generated by your domain itself (hacking or authorized) or those are fake emails:
1. Have you configured SPF records for your domain? I know this is a basic requirement for email but cross-checks the domain.
2. Have you configured DKIM and DMARC for your domain?
3. Have you enabled "Header anomalies" on your email gateway?
I hope you are aware of all of those things. I advise you that you must collect original email (which you mentioned in the post) header from the user's inboxes and check with MXTOOLBOX.COM. What is output for all SPF, DKIM, DMARC, sender SMTP and IP etc?
A 2nd advisory is that you have to check your email gateway logs about the "Header anomalies" including the sender and receiver SMTP and IP address. I am sure that you will get all the details.
Regards,
Deepak Kumar
02-20-2019 09:21 AM
02-20-2019 09:12 AM
Hi,
I am not sure about your email and network security setup. But I can guide you with some basic guides which will help you that these emails are generated by your domain itself (hacking or authorized) or those are fake emails:
1. Have you configured SPF records for your domain? I know this is a basic requirement for email but cross-checks the domain.
2. Have you configured DKIM and DMARC for your domain?
3. Have you enabled "Header anomalies" on your email gateway?
I hope you are aware of all of those things. I advise you that you must collect original email (which you mentioned in the post) header from the user's inboxes and check with MXTOOLBOX.COM. What is output for all SPF, DKIM, DMARC, sender SMTP and IP etc?
A 2nd advisory is that you have to check your email gateway logs about the "Header anomalies" including the sender and receiver SMTP and IP address. I am sure that you will get all the details.
Regards,
Deepak Kumar
02-20-2019 09:21 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide