The question came up today about using ExtraHop to detect SPAM bots on an internal network monitored by ExtraHop.
What approach would you take?
One thought is to use a trigger and look at the SMTP Request event and pull the Subject out of the SMTP.Header object. Look for a large number of a given subject over 30 seconds, the idea being one message being spammed out to hundreds of recipients quickly.
Any other thoughts?