Report on potential duplicate entrants

[ewandennis]

Abuse Of A Personal Domain

An attacker can easily generate lots of entries with random local parts, all from 1 or a few sending domains (sometimes using SparkPost to do it). To detect that here's a summary of domains used by entrant frequency:

select count(*) as cnt, substring(smtp_from, position('@' in smtp_from)) as domain from relay_messages where smtp_to like 'rafflename@%' group by domain having count(*) > 1;

Mutating Local Part

An attacker might manage multiple domains but use similar local parts across them. Here's a summary of those:

select count(*) as cnt, substring(smtp_from, 0, position('@' in smtp_from)) as localpart from relay_messages where smtp_to like 'rafflename@%' group by localpart having count(*) > 1;