This commit is contained in:
Mariusz B. / mgeeky 2021-10-26 23:33:51 +02:00
parent 683a25d8c7
commit 815e394005

View File

@ -318,7 +318,7 @@ class SMTPHeadersAnalysis:
'trusteer', 'trustlook', 'virusblokada', 'virustotal', 'virustotalcloud', 'webroot', 'trusteer', 'trustlook', 'virusblokada', 'virustotal', 'virustotalcloud', 'webroot',
'yandex', 'yandexbot', 'zillya', 'zonealarm', 'zscaler', '-sea-', 'perlmx', 'trustwave', 'yandex', 'yandexbot', 'zillya', 'zonealarm', 'zscaler', '-sea-', 'perlmx', 'trustwave',
'mailmarshal', 'tmase', 'startscan', 'fe-etp', 'jemd', 'suspicious', 'grey', 'infected', 'unscannable', 'mailmarshal', 'tmase', 'startscan', 'fe-etp', 'jemd', 'suspicious', 'grey', 'infected', 'unscannable',
'dlp-', 'sanitize' 'dlp-', 'sanitize', 'mailscan', 'barracuda',
) )
Interesting_Headers = ( Interesting_Headers = (
@ -1176,6 +1176,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
('X-Sender-IP', self.testXSenderIP), ('X-Sender-IP', self.testXSenderIP),
('X-Forefront-Antispam-Report-Untrusted', self.testForefrontAntiSpamReportUntrusted), ('X-Forefront-Antispam-Report-Untrusted', self.testForefrontAntiSpamReportUntrusted),
('X-Microsoft-Antispam-Untrusted', self.testForefrontAntiSpamUntrusted), ('X-Microsoft-Antispam-Untrusted', self.testForefrontAntiSpamUntrusted),
('X-Mimecast-Impersonation-Protect', self.testMimecastImpersonationProtect),
# #
# These tests shall be the last ones. # These tests shall be the last ones.
@ -1195,6 +1196,10 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
('Decoded Mail-encoded header values', self.testDecodeEncodedHeaders), ('Decoded Mail-encoded header values', self.testDecodeEncodedHeaders),
) )
testsReturningArray = (
('Header Containing Client IP', self.testAnyOtherIP),
)
for testName, testFunc in tests: for testName, testFunc in tests:
try: try:
self.logger.dbg(f'Running "{testName}"...') self.logger.dbg(f'Running "{testName}"...')
@ -1213,7 +1218,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
raise raise
if self.decode_all: if self.decode_all:
for testName, testFunc in tests: for testName, testFunc in testsDecodeAll:
try: try:
self.logger.dbg(f'Running "{testName}"...') self.logger.dbg(f'Running "{testName}"...')
self.results[testName] = testFunc() self.results[testName] = testFunc()
@ -1230,6 +1235,28 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
if options['debug']: if options['debug']:
raise raise
for testName, testFunc in testsReturningArray:
try:
self.logger.dbg(f'Running "{testName}"...')
outs = testFunc()
num = 0
for o in outs:
num += 1
self.results[testName + ' ' + str(num)] = o
except Exception as e:
self.logger.err(f'Test: "{testName}" failed: {e} . Use --debug to show entire stack trace.')
self.results[testName] = {
'header' : '',
'value' : '',
'analysis' : 'Internal script error. Use --debug to find out more what happened.',
}
if options['debug']:
raise
for k in self.results.keys(): for k in self.results.keys():
if len(self.results[k]) == 0: if len(self.results[k]) == 0:
continue continue
@ -1379,6 +1406,18 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testAnyOtherIP(self):
outputs = []
for (num, header, value) in self.headers:
if header.lower().endswith('-ip'):
result = f'- Connecting Client IP detected in header {header}:'
outputs.append(self._originatingIPTest(result, '', num, header, value))
return outputs
def testXTMApprSender(self): def testXTMApprSender(self):
(num, header, value) = self.getHeader('X-TM-AS-User-Approved-Sender') (num, header, value) = self.getHeader('X-TM-AS-User-Approved-Sender')
if num == -1: return [] if num == -1: return []
@ -1399,6 +1438,42 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testMimecastImpersonationProtect(self):
(num, header, value) = self.getHeader('X-Mimecast-Impersonation-Protect')
if num == -1: return []
result = '- Mimecast mail impersonation report:\n\n'
self.securityAppliances.add('Mimecast')
value = SMTPHeadersAnalysis.flattenLine(value)
for line in value.split(';'):
if '=' in line:
(a, b) = line.split('=')
a = a.strip()
b = b.strip()
if b.lower() == 'false':
b = self.logger.colored(b, 'green')
elif b.lower() == 'true':
b = self.logger.colored(b, 'red')
a = self.logger.colored(a, 'red')
if a.lower() == 'policy':
b = self.logger.colored(b, 'magenta')
result += f'\t- {a}: {b}\n'
else:
result += f'\t- {line}\n'
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXTMBlockSender(self): def testXTMBlockSender(self):
(num, header, value) = self.getHeader('X-TM-AS-User-Blocked-Sender') (num, header, value) = self.getHeader('X-TM-AS-User-Blocked-Sender')
if num == -1: return [] if num == -1: return []
@ -3552,6 +3627,24 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
self.securityAppliances.add('Mimecast') self.securityAppliances.add('Mimecast')
result = f'- Mimecast attached following Spam score: {vvv}\n' result = f'- Mimecast attached following Spam score: {vvv}\n'
try:
score = int(value.strip())
if score < 3:
result += '\t- ' + self.logger.colored('Not a spam', 'green')
if score >= 3 and score < 5:
result += '\t- ' + self.logger.colored('Low confidence it is a spam', 'green')
if score > 5 and score <= 7:
result += '\t- ' + self.logger.colored('Medium confidence that might be a spam', 'yellow')
if score > 7:
result += '\t- ' + self.logger.colored('High confidence - this is a SPAM', 'red')
except:
pass
return { return {
'header' : header, 'header' : header,
'value': value, 'value': value,