Thanks, that's kind of what I was expecting. Even same_user, or any of the other standard decoder fields might help, as they could be misused somewhat.
Thanks for clarifying On Wednesday, December 18, 2013 3:13:17 PM UTC, Michael Starks wrote: > > On 2013-12-18 2:46, Chris H wrote: > > Hi, Michael. Exchange 2003. I've got the Message Tracking logs. > > Ok, I guess the question of the MTA was sort of irrelevant, but I was > curious since I have done some work for the Barracuda S&VF. > > If we had options like same_subject or same_sender, like we do with > same_source_ip, then this would be possible, but without code changes, I > can't think of a way to do it in advance of knowing what the phishing > email is about. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
