From 3d782f1f2f024b1e9bd69ab908dad16123baac9a Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Sun, 17 Oct 2021 21:31:54 +0200 Subject: [PATCH] update --- phishing/decode-spam-headers.py | 87 +++++++++++++-------------------- 1 file changed, 35 insertions(+), 52 deletions(-) diff --git a/phishing/decode-spam-headers.py b/phishing/decode-spam-headers.py index 63443a5..56f954d 100644 --- a/phishing/decode-spam-headers.py +++ b/phishing/decode-spam-headers.py @@ -988,44 +988,44 @@ Results will be unsound. Make sure you have pasted your headers with correct spa self.headers = self.collect(text) - self.results['Received - Mail Servers Flow'] = self.testReceived() - self.results['Extracted IP addresses'] = self.testExtractIP() - self.results['Extracted Domains'] = self.testResolveIntoIP() - self.results['Bad Keywords In Headers'] = self.testBadKeywords() - self.results['From Address Analysis'] = self.testFrom() - self.results['Authentication-Results'] = self.testAuthenticationResults() - self.results['ARC-Authentication-Results'] = self.testARCAuthenticationResults() - self.results['Received-SPF'] = self.testReceivedSPF() - self.results['Mail Client Version'] = self.testXMailer() - self.results['User-Agent Version'] = self.testUserAgent() - self.results['X-Forefront-Antispam-Report'] = self.testForefrontAntiSpamReport() - self.results['X-Microsoft-Antispam-Mailbox-Delivery'] = self.testAntispamMailboxDelivery() - self.results['X-Microsoft-Antispam Bulk Mail'] = self.testMicrosoftAntiSpam() - self.results['End-to-End Latency - Message Delivery Time'] = self.testTransportEndToEndLatency() - self.results['X-MS-Oob-TLC-OOBClassifiers'] = self.testTLCOObClasifiers() - self.results['MS Defender ATP Message Properties'] = self.testATPMessageProperties() - self.results['Domain Impersonation'] = self.testDomainImpersonation() - self.results['X-Exchange-Antispam-Report-CFA-Test'] = self.testAntispamReportCFA() - self.results['Spam Diagnostics Metadata'] = self.testSpamDiagnosticMetadata() - self.results['SpamAssassin Spam Status'] = self.testSpamAssassinSpamStatus() - self.results['SpamAssassin Spam Level'] = self.testSpamAssassinSpamLevel() - self.results['SpamAssassin Spam Flag'] = self.testSpamAssassinSpamFlag() - self.results['SpamAssassin Spam Report'] = self.testSpamAssassinSpamReport() - self.results['Message Feedback Loop'] = self.testMSFBL() - self.results['OVH\'s X-VR-SPAMCAUSE'] = self.testSpamCause() - self.results['OVH\'s X-Ovh-Spam-Reason'] = self.testOvhSpamReason() - self.results['OVH\'s X-Ovh-Spam-Score'] = self.testOvhSpamScore() - self.results['X-Virus-Scan'] = self.testXVirusScan() - self.results['X-Spam-Checker-Version'] = self.testXSpamCheckerVersion() - self.results['X-IronPort-AV'] = self.testXIronPortAV() - self.results['X-Mimecast-Spam-Score'] = self.testXMimecastSpamScore() + self.results['Received - Mail Servers Flow'] = self.testReceived() + self.results['Extracted IP addresses'] = self.testExtractIP() + self.results['Extracted Domains'] = self.testResolveIntoIP() + self.results['Bad Keywords In Headers'] = self.testBadKeywords() + self.results['From Address Analysis'] = self.testFrom() + self.results['Authentication-Results'] = self.testAuthenticationResults() + self.results['ARC-Authentication-Results'] = self.testARCAuthenticationResults() + self.results['Received-SPF'] = self.testReceivedSPF() + self.results['Mail Client Version'] = self.testXMailer() + self.results['User-Agent Version'] = self.testUserAgent() + self.results['X-Forefront-Antispam-Report'] = self.testForefrontAntiSpamReport() + self.results['X-Microsoft-Antispam-Mailbox-Delivery'] = self.testAntispamMailboxDelivery() + self.results['X-Microsoft-Antispam Bulk Mail'] = self.testMicrosoftAntiSpam() + self.results['X-Exchange-Antispam-Report-CFA-Test'] = self.testAntispamReportCFA() + self.results['Domain Impersonation'] = self.testDomainImpersonation() + self.results['SpamAssassin Spam Status'] = self.testSpamAssassinSpamStatus() + self.results['SpamAssassin Spam Level'] = self.testSpamAssassinSpamLevel() + self.results['SpamAssassin Spam Flag'] = self.testSpamAssassinSpamFlag() + self.results['SpamAssassin Spam Report'] = self.testSpamAssassinSpamReport() + self.results['OVH\'s X-VR-SPAMCAUSE'] = self.testSpamCause() + self.results['OVH\'s X-Ovh-Spam-Reason'] = self.testOvhSpamReason() + self.results['OVH\'s X-Ovh-Spam-Score'] = self.testOvhSpamScore() + self.results['X-Virus-Scan'] = self.testXVirusScan() + self.results['X-Spam-Checker-Version'] = self.testXSpamCheckerVersion() + self.results['X-IronPort-AV'] = self.testXIronPortAV() + self.results['X-Mimecast-Spam-Score'] = self.testXMimecastSpamScore() + self.results['Spam Diagnostics Metadata'] = self.testSpamDiagnosticMetadata() + self.results['MS Defender ATP Message Properties'] = self.testATPMessageProperties() + self.results['Message Feedback Loop'] = self.testMSFBL() + self.results['End-to-End Latency - Message Delivery Time'] = self.testTransportEndToEndLatency() + self.results['X-MS-Oob-TLC-OOBClassifiers'] = self.testTLCOObClasifiers() if self.decode_all: - self.results['X-Microsoft-Antispam-Message-Info'] = self.testMicrosoftAntiSpamMessageInfo() - self.results['Decoded Mail-encoded header values'] = self.testDecodeEncodedHeaders() + self.results['X-Microsoft-Antispam-Message-Info'] = self.testMicrosoftAntiSpamMessageInfo() + self.results['Decoded Mail-encoded header values'] = self.testDecodeEncodedHeaders() - self.results['Other unrecognized Spam Related Headers'] = self.testSpamRelatedHeaders() - self.results['Other interesting headers'] = self.testInterestingHeaders() + self.results['Other unrecognized Spam Related Headers'] = self.testSpamRelatedHeaders() + self.results['Other interesting headers'] = self.testInterestingHeaders() return {k: v for k, v in self.results.items() if v} @@ -1106,8 +1106,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa 'analysis' : result } - - def testSpamDiagnosticMetadata(self): (num, header, value) = self.getHeader('SpamDiagnosticMetadata') if num == -1: return [] @@ -1855,11 +1853,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa tmp += '\t' + SMTPHeadersAnalysis.ForeFront_Bulk_Confidence_Levels[levels[0]] + '\n' break - tmp += f''' - More information: - - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values - -''' result += tmp return { @@ -1998,16 +1991,6 @@ Results will be unsound. Make sure you have pasted your headers with correct spa if addscl: result += tmpfoo - - result += f''' - -More information: - - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers - - https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps - - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels - - https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results - -''' if len(result) == 0: return []