From 5f80f17a94fc5bbfa5510f8a0998f8f714b6a8d7 Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Sun, 17 Oct 2021 18:38:06 +0200 Subject: [PATCH] update --- phishing/decode-spam-headers.py | 36 +++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/phishing/decode-spam-headers.py b/phishing/decode-spam-headers.py index 1d3ef1a..d5909f5 100644 --- a/phishing/decode-spam-headers.py +++ b/phishing/decode-spam-headers.py @@ -868,6 +868,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa self.results['SpamAssassin Spam Report'] = self.testSpamAssassinSpamReport() self.results['Message Feedback Loop'] = self.testMSFBL() self.results['Other interesting headers'] = self.testInterestingHeaders() + self.results['OVH\'s X-VR-SPAMCAUSE'] = self.testSpamCause() return {k: v for k, v in self.results.items() if v} @@ -887,6 +888,41 @@ Results will be unsound. Make sure you have pasted your headers with correct spa parts = fqdn.split('.') return '.'.join(parts[-2:]) + @staticmethod + def decodeSpamcause(msg): + text = [] + for i in range(0, len(msg), 2): + text.append(SMTPHeadersAnalysis.unrotSpamcause(msg[i: i + 2])) + return str.join('', text) + + @staticmethod + def unrotSpamcause(pair, key=ord('x')): + offset = 0 + for c in 'cdefgh': + if c in pair: + offset = (ord('g') - ord(c)) * 16 + break + return chr(sum(ord(c) for c in pair) - key - offset) + + def testSpamCause(self): + (num, header, value) = self.getHeader('X-VR-SPAMCAUSE') + if num == -1: return [] + + result = '' + value = SMTPHeadersAnalysis.flattenLine(value).replace(' ', '').replace('\t', '') + + decoded = SMTPHeadersAnalysis.decodeSpamcause(value) + result = decoded + + if len(result) == 0: + return [] + + return { + 'header' : header, + 'value': value, + 'analysis' : result + } + def testMSFBL(self): (num, header, value) = self.getHeader('X-MSFBL') if num == -1: return []