Viewing Attack Sources

An attack source is the first MTA with a public IP address that routes a suspicious message. For example, if a suspicious message travels the following route: IP1 (sender) > IP2 (MTA: 225.237.59.52) > IP3 (company mail gateway) > IP4 (recipient), Deep Discovery Email Inspector identifies 225.237.59.52 (IP2) as the attack source. By studying attack sources, you can identify regional attack patterns or attack patterns that involve the same mail server.

Gain intelligence about the prevalence of the attack detections and their relative risk to your network. Learn about the location of the attack, especially whether the attack source is an MTA in your organization or in a region where your organization does not operate.

  1. Go to Detections > Attack Sources.
  2. Specify the search criteria.
    • Attack source (IP address)
    • Country
  3. Select the Period.
  4. Press ENTER.

    All email messages matching the search criteria appear.

  5. View the results.

    Header

    Description

    Attack Source

    View the IP address of the attack source.

    Country

    View the country where the attack source is located.

    Note:

    A dash (-) indicates that the location information is not available.

    City

    View the city where the attack source is located.

    Note:

    A dash (-) indicates that the location information is not available.

    Detections

    View the email messages with malicious or suspicious characteristics. Signature-based detection involves searching for known patterns of data within executable code or behavior analysis. Click the number to see more information about the suspicious message.

    High Risk

    View the detected messages with malicious characteristics.

    Medium Risk

    View the detected messages with characteristics that are most likely malicious.

    Low Risk

    View the detected spam messages or detected messages with content violations or suspicious characteristics.

    Spam/Graymail

    View the number of detected spam messages or graymail.

    Content Violation

    View the number of detected messages with content violations.

    DLP Incident

    View the number of detected messages with DLP incidents.

    View the number of email messages with embedded malicious links.

    View the number of file attachments that are detected by policy rules.

    Latest Detection

    View the most recent occurrence of the detected message.