This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mass mailing monitoring through regex

Hi to all,

I just wanted to share a trick/method I've found to trace/monitor suspicious outbound traffic from the appliance, i.e.: to trace outbound messages sent to an high number of recipients.

In "Additional Policy"/Outbound I've setup the rule belows (based on headers only):

The regex ^[^@]*(\@[^@]*){30,}$ basically counts the number of recipients in the "To" header and if it hits 30 or more recipients you can trigger an event/notification.

Hope this might be helpful.

I'd also need to trace/monitor the number of messages sent/per minute/hour but unfortunately the appliance doesn't seem to have such functions, so if you have any ideas to suggest or share you're welcome.

Edit: this works with "To" and "Cc" headers but it doesn't work with Bcc.

Maio

This thread was automatically locked due to age.

emmosophos over 5 years ago

Hello Maio,

Thank you for contacting the Sophos Community!

Thank you also for sharing your cool method to trace the number of recipients in the "To" header.

The SEA gives you an idea of the number of emails process in the Dashboard. It will give you the Average hourly throughout.

Regards,
Cancel
Vote Up 0 Vote Down

Cancel