I want to search in informer for email subjects of known malicious emails. It does not appear that the subject field is availbale when creating rules in Informer. Is there a way to make this field available?
I want to search in informer for email subjects of known malicious emails. It does not appear that the subject field is availbale when creating rules in Informer. Is there a way to make this field available?
Hi
Even meta keys not displayed in the "meta library" list in Informer can be used both as part of the select or where clauses in any rule, all you need to do is enter them manually!
However, the reason why they are not there is quite relevant, these keys are normally not indexed so performing queries on/with them will cause responses to be considerably slower.
If you need to regularly use these non-indexed keys on your queries, it is recommended that you consider turning them into IndexValues keys instead of their current default. This change should only be done on your Concentrators never on the Decoders.
Hope that helps!
Regards,
Rui
After you get the subject indexed, you will want to create a Live Feed of your known malicious subjects. The SA Live Feed Wizard is great for this. Be sure you set it for a non-ip and use subject as the meta callback.
Hey Fielder,
Do you know any good sites that do this?
I am currently using phishtank for domains that are known phishing sites but I can't seem to find any with subject lines.
I don't think subject lines will be good idea to create feed. For example the top 5 phishing subject lines are very very common, you will have too many false positives.
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to
sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned
to Sender
Hi
Even meta keys not displayed in the "meta library" list in Informer can be used both as part of the select or where clauses in any rule, all you need to do is enter them manually!
However, the reason why they are not there is quite relevant, these keys are normally not indexed so performing queries on/with them will cause responses to be considerably slower.
If you need to regularly use these non-indexed keys on your queries, it is recommended that you consider turning them into IndexValues keys instead of their current default. This change should only be done on your Concentrators never on the Decoders.
Hope that helps!
Regards,
Rui