Log viewer - import from text file? - ORF Forums

Log viewer - import from text file? RSS Back to forum

1

I would like to build a log filter of our valid email addresses, and then check for recipients not equal to any of them. Possibly an import from text file and then some different logic options in the filter dialog box? This is so I can watch for inbound attempts to invalid addresses - and add them to the honeypot test.

I am seeing some success with the honeypot test and want to expand on it, but it's difficult finding these addresses in the log.

Thanks!

Reply
by Derwood 9 years ago
2

@Derwood: The Log Viewer filter dialog does not support importing from TXT.

The easiest way is enabling the Recipient Validation test and creating a filtered view for its hits. If Recipient Validation is not available (e.g., because ORF runs on an Exchange Edge server and does not have access to the Active Directory), you can use a regular expression:

1. Start the Log Viewer and connect to the local or remote ORF instance
2. Load the log entries
3. Create a Filter (Ctrl + Shift + F)
4. Click Add New Rule, Recipients
5. Set the expression type to "Regular expression" and enter the expression like so:

(validuser1|validuser2|validuser3)@mydomain\.com$

Add all valid recipient addresses, separated by "pipe" characters (which means "or" in regex), enclosed with brackets, followed by @, followed by your domain name and $. This will match any valid address (you can verify this by entering an arbitrary valid email address into the "Test address" input field).

6. Since you want to match all _invalid_ recipient addresses instead, check the "Invert rule (match all, but the above)" option.
7. Click OK, then OK again.

Reply
by Krisztián Fekete (Vamsoft) 9 years ago
(in reply to this post)

3

Krisztian, thanks very much.

We are on an Exchange 2010 Edge server and I set this up like you advised. It works nicely! From our mailbox server, I exported a list of mailboxes and built the filter from this. Then I added a few addresses of ex-employees. The filter only displays address not in the list. The little DHA attempts become more than apparent and I built the list of honeypot address in very little time. Thanks again!

Reply
by Derwood 9 years ago
4

Glad to hear it works :)

Reply
by Krisztián Fekete (Vamsoft) 9 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2