Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mass mailing monitoring through regex

Hi to all,

 I just wanted to share a trick/method I've found to trace/monitor suspicious outbound traffic from the appliance, i.e.: to trace outbound messages sent to an high number of recipients.

In "Additional Policy"/Outbound I've setup the rule belows (based on headers only):

The regex ^[^@]*(\@[^@]*){30,}$ basically counts the number of recipients in the "To" header and if it hits 30 or more recipients you can trigger an event/notification.

Hope this might be helpful.

I'd also need to trace/monitor the number of messages sent/per minute/hour but unfortunately the appliance doesn't seem to have such functions, so if you have any ideas to suggest or share you're welcome.

Edit: this works with "To" and "Cc" headers but it doesn't work with Bcc.



This thread was automatically locked due to age.