From ca6fd327472c18ea0090e4a5c6bb97d5844f55ac Mon Sep 17 00:00:00 2001
From: mgeeky <mb@binary-offensive.com>
Date: Thu, 28 Oct 2021 21:12:23 +0200
Subject: [PATCH] updated decode-spam-headers.py

---
 .../decode-spam-headers.py                    | 42 ++++++++++++++++++-
 phishing/phishing-HTML-linter.py              | 31 ++++++++++++++
 2 files changed, 71 insertions(+), 2 deletions(-)

diff --git a/phishing/decode-spam-headers/decode-spam-headers.py b/phishing/decode-spam-headers/decode-spam-headers.py
index 2647844..e1cf96b 100644
--- a/phishing/decode-spam-headers/decode-spam-headers.py
+++ b/phishing/decode-spam-headers/decode-spam-headers.py
@@ -611,15 +611,53 @@ class SMTPHeadersAnalysis:
         'SPAM' : logger.colored('SPAM', 'red'),
     }
 
-    Anti_Spam_Rules_ReverseEngineered = {
+
+    #
+    # Below rules were collected solely in a trial-and-error manner or by scraping any 
+    # pieces of information from all around the Internet.
+    #
+    # They do not represent the actual Anti-Spam rule name or context and surely represent 
+    # something close to what is understood (or they may have totally different meaning).
+    # 
+    # Until we'll be able to review anti-spam rules documention, there is no viable mean to map
+    # rule ID to its meaning.
+    #
+
+    Anti_Spam_Rules_ReverseEngineered = \
+    {
         '35100500006' : logger.colored('(SPAM) Message contained embedded image. Score +4', 'red'),
 
         # https://docs.microsoft.com/en-us/answers/questions/416100/what-is-meanings-of-39x-microsoft-antispam-mailbox.html
         '520007050' : logger.colored('(SPAM) Moved message to Spam and created Email Rule to move messages from this particular sender to Junk.', 'red'),
+
+        # triggered on an empty mail with subject being: "test123 - viagra"
+        '162623004' : 'Subject line contained suspicious words (like Viagra).',
+
+        # triggered on mail with subject "test123" and body being single word "viagra"
+        '19618925003' : 'Mail body contained suspicious words (like Viagra).',
+
+        # triggered on mail with empty body and subject "Click here"
+        '28233001' : 'Subject line contained suspicious words luring action (like "Click here"). ',
+
+        # triggered on a mail with test subject and 1500 words of http://nietzsche-ipsum.com/
+        '30864003' : 'Mail body contained a lot of text (more than 10.000 characters).',
+
+        # mails that had simple message such as "Hello world" triggered this rule, whereas mails with
+        # more than 150 words did not.
+        '564344004' : 'HTML mail body with less than 150 words of text (not sure how much less though)',
+
+        # message was sent with a basic html and only one <u> tag in body.
+        '67856001' : 'HTML mail body contained underline <u> tag.',
+
+        # message with html,head,body and body containing simple text with no b/i/u formatting.
+        '579124003' : 'HTML mail body contained text, but no text formatting (<b>, <i>, <u>) was present',
+
+        # This is a strong signal. Mails without <a> doesnt have this rule.
+        '166002' : 'HTML mail body contained URL <a> link.',
     }
 
     ForeFront_Spam_Confidence_Levels = {
-        -1 : (False, logger.colored('The message skipped spam filtering. Probably Whitelisted.', 'green')),
+        -1 : (False, logger.colored('The message skipped spam filtering. WHITELISTED.', 'green')),
         0 : (False, logger.colored('Spam filtering determined the message was not spam.', 'green')),
         1 : (False, 'The message skipped spam filtering'),
         5 : (True, logger.colored('Spam filtering marked the message as Spam', 'red')),
diff --git a/phishing/phishing-HTML-linter.py b/phishing/phishing-HTML-linter.py
index 14795f4..5d947be 100644
--- a/phishing/phishing-HTML-linter.py
+++ b/phishing/phishing-HTML-linter.py
@@ -4,6 +4,7 @@ import os, sys, re
 import string
 import argparse
 import yaml
+import textwrap
 import json
 
 from bs4 import BeautifulSoup
@@ -24,6 +25,7 @@ class PhishingMailParser:
         self.results['Embedded Images'] = self.testEmbeddedImages()
         self.results['Images without ALT'] = self.testImagesNoAlt()
         self.results['Masqueraded Links'] = self.testMaskedLinks()
+        self.results['Use of underline tag <u>'] = self.testUnderlineTag()
 
         return {k: v for k, v in self.results.items() if v}
 
@@ -39,6 +41,26 @@ class PhishingMailParser:
 
         return f'{beg}...{end}'
 
+    def testUnderlineTag(self):
+        links = self.soup('u')
+
+        if not links or len(links) == 0:
+            return []
+
+        desc = 'Underline tags are recognized by anti-spam filters and trigger additional rule (Office365: 67856001), but by their own shouldnt impact spam score.'
+        result = f'- Found {len(links)} <u> tags. This is not by itself an indication of spam, but is known to trigger some rules (like Office365: 67856001)\n'
+
+        context = ''
+        for i in range(len(links)):
+            context += '\t- ' + str(links[i]) + '\n'
+            if i > 10: break
+
+        return {
+            'description' : desc,
+            'context' : context,
+            'analysis' : result
+        }
+
     def testMaskedLinks(self):
         links = self.soup('a')
 
@@ -166,6 +188,12 @@ def printOutput(out):
             num += 1
             analysis = v['analysis']
             context = v['context']
+            desc = '\n'.join(textwrap.wrap(
+                v['description'],
+                width = 80,
+                initial_indent = '',
+                subsequent_indent = '    '
+            ))
 
             analysis = analysis.replace('- ', '\t- ')
 
@@ -173,6 +201,9 @@ def printOutput(out):
 ------------------------------------------
 ({num}) Test: {k}
 
+DESCRIPTION:
+    {desc}
+
 CONTEXT: 
     {context}