We don't have one particular way to determine a sender directly. You would need esstentially a place to start. If you know a sender or subject - you can use the CLI and 'grep' to parse through the mail_logs.
The best way to accomplish this would be to syslog those mail_logs off the appliance, and to a full Linux/Unix host that has extended grep on it.
If there are large messages that are being sent/spammed out - you can also use grep to investigate the mail logs:
Notes: * The -i indicates the the search should be case insensitive * The . characters indicate how many characters the search should match. In these examples, there are 6 periods in the first command, 7 periods in the second command and 8 periods in the third command.
One thing to keep in mind - if you are trying to prevent users from spamming out - try using the Rate Limit for Envelope Senders option.
Starting in 7.6 - limit outbound messages for end-users in order to prevent mass outbound emails/spamming.
From the GUI, Mail Flow Policies -> (select Policy, "Relay" for example) -> Mail Flow Limits, expand Rate Limit for Envelope Senders
With in this section – you can set a specified number of mail sent for individuals:
Once this is in place – you will be notified automatically when the limit is hit. Please be sure that you do have System notifications added and set to an admin recipient address. This can be set under System Administration -> Alerts. Add if this is not enabled. Make sure that 'Info' is checked.
From our Configuration Guide…
AsyncOS 7.6 updates Mail Flow Policies with the option to limit number of recipients during a specified time period that a listener will receive from a unique envelope sender, based on the mail-from address. Each listener tracks its own rate limiting threshold; however, because all listeners validate against a single counter, it is more likely that the rate limit will be exceeded if messages from the same mail-from address are received by multiple listeners.
From the Daily Management Guide…
Rate Limiting by envelope sender allows you to limit the number of email messages per time interval. from an individual sender, based on the mail-from address. The Rate Limits report allows you to quickly identify individual senders of large numbers of messages. Use this report to help you to:
Control spam from internal user accounts, for example in cases when a user's credentials are compromised and the account is used to send spam in bulk.
Identify compromised user accounts.
Limit out-of-control applications that use email for notifications, alerts, automated statements, etc.
Avoid damaging your organization’s online reputation and the attendant hassles resulting from this situation
Rate Limiting is configured in Mail Policies > Mail Flow Policies. For more information on rate limiting, see the “Configuring the Gateway to Receive Email” chapter in the AsyncOS for Email Configuration Guide.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...