Host Sending Excessive Email-主机发送过多的电子邮件
邮件攻击的三大方式之一就是拒绝服务,让系统或者网络充斥了大量的垃圾邮件,从而没有余力去处理其它的事情,造成系统邮件服务器或者网络的瘫痪病毒:在生活中,很多病毒的广泛传播是通过电子邮件传播的。I love you就是新千年里最为鲜明的例子。
Splunk查询:非邮件服务器在最近1小时内发送了过多的邮件
| tstats `summariesonly` sum(All_Email.recipient_count) as count,dc(All_Email.dest) as dest_count from datamodel=Email.All_Email where NOT All_Email.src_category="email_servers" by "All_Email.src",_time span=1h | `drop_dm_object_name("All_Email")` | xswhere count from recipients_by_src_1h in email is above medium OR dest_count from destinations_by_src_1h in email is above medium
earliest=-70m@m latest=+0s
Splunk查询:非邮件服务器在最近1小时内发送了过多的邮件
| tstats `summariesonly` sum(All_Email.recipient_count) as count,dc(All_Email.dest) as dest_count from datamodel=Email.All_Email where NOT All_Email.src_category="email_servers" by "All_Email.src",_time span=1h | `drop_dm_object_name("All_Email")` | xswhere count from recipients_by_src_1h in email is above medium OR dest_count from destinations_by_src_1h in email is above medium
earliest=-70m@m latest=+0s