Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outbound mass mailing monitoring through regex

Hi to all,

 I just wanted to share a trick/method I've found to trace/monitor suspicious outbound traffic from the appliance, i.e.: to trace outbound messages sent to an high number of recipients.

In "Additional Policy"/Outbound I've setup the rule belows (based on headers only):

The regex ^[^@]*(\@[^@]*){30,}$ basically counts the number of recipients in the "To" header and if it hits 30 or more recipients you can trigger an event/notification.

Hope this might be helpful.

I'd also need to trace/monitor the number of messages sent/per minute/hour but unfortunately the appliance doesn't seem to have such functions, so if you have any ideas to suggest or share you're welcome.

Edit: this works with "To" and "Cc" headers but it doesn't work with Bcc.

 

Maio



This thread was automatically locked due to age.
Parents Reply Children
No Data