mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 12:01:37 +01:00
updated decode-spam-headers.py
This commit is contained in:
parent
09093a8b81
commit
ca6fd32747
@ -611,15 +611,53 @@ class SMTPHeadersAnalysis:
|
|||||||
'SPAM' : logger.colored('SPAM', 'red'),
|
'SPAM' : logger.colored('SPAM', 'red'),
|
||||||
}
|
}
|
||||||
|
|
||||||
Anti_Spam_Rules_ReverseEngineered = {
|
|
||||||
|
#
|
||||||
|
# Below rules were collected solely in a trial-and-error manner or by scraping any
|
||||||
|
# pieces of information from all around the Internet.
|
||||||
|
#
|
||||||
|
# They do not represent the actual Anti-Spam rule name or context and surely represent
|
||||||
|
# something close to what is understood (or they may have totally different meaning).
|
||||||
|
#
|
||||||
|
# Until we'll be able to review anti-spam rules documention, there is no viable mean to map
|
||||||
|
# rule ID to its meaning.
|
||||||
|
#
|
||||||
|
|
||||||
|
Anti_Spam_Rules_ReverseEngineered = \
|
||||||
|
{
|
||||||
'35100500006' : logger.colored('(SPAM) Message contained embedded image. Score +4', 'red'),
|
'35100500006' : logger.colored('(SPAM) Message contained embedded image. Score +4', 'red'),
|
||||||
|
|
||||||
# https://docs.microsoft.com/en-us/answers/questions/416100/what-is-meanings-of-39x-microsoft-antispam-mailbox.html
|
# https://docs.microsoft.com/en-us/answers/questions/416100/what-is-meanings-of-39x-microsoft-antispam-mailbox.html
|
||||||
'520007050' : logger.colored('(SPAM) Moved message to Spam and created Email Rule to move messages from this particular sender to Junk.', 'red'),
|
'520007050' : logger.colored('(SPAM) Moved message to Spam and created Email Rule to move messages from this particular sender to Junk.', 'red'),
|
||||||
|
|
||||||
|
# triggered on an empty mail with subject being: "test123 - viagra"
|
||||||
|
'162623004' : 'Subject line contained suspicious words (like Viagra).',
|
||||||
|
|
||||||
|
# triggered on mail with subject "test123" and body being single word "viagra"
|
||||||
|
'19618925003' : 'Mail body contained suspicious words (like Viagra).',
|
||||||
|
|
||||||
|
# triggered on mail with empty body and subject "Click here"
|
||||||
|
'28233001' : 'Subject line contained suspicious words luring action (like "Click here"). ',
|
||||||
|
|
||||||
|
# triggered on a mail with test subject and 1500 words of http://nietzsche-ipsum.com/
|
||||||
|
'30864003' : 'Mail body contained a lot of text (more than 10.000 characters).',
|
||||||
|
|
||||||
|
# mails that had simple message such as "Hello world" triggered this rule, whereas mails with
|
||||||
|
# more than 150 words did not.
|
||||||
|
'564344004' : 'HTML mail body with less than 150 words of text (not sure how much less though)',
|
||||||
|
|
||||||
|
# message was sent with a basic html and only one <u> tag in body.
|
||||||
|
'67856001' : 'HTML mail body contained underline <u> tag.',
|
||||||
|
|
||||||
|
# message with html,head,body and body containing simple text with no b/i/u formatting.
|
||||||
|
'579124003' : 'HTML mail body contained text, but no text formatting (<b>, <i>, <u>) was present',
|
||||||
|
|
||||||
|
# This is a strong signal. Mails without <a> doesnt have this rule.
|
||||||
|
'166002' : 'HTML mail body contained URL <a> link.',
|
||||||
}
|
}
|
||||||
|
|
||||||
ForeFront_Spam_Confidence_Levels = {
|
ForeFront_Spam_Confidence_Levels = {
|
||||||
-1 : (False, logger.colored('The message skipped spam filtering. Probably Whitelisted.', 'green')),
|
-1 : (False, logger.colored('The message skipped spam filtering. WHITELISTED.', 'green')),
|
||||||
0 : (False, logger.colored('Spam filtering determined the message was not spam.', 'green')),
|
0 : (False, logger.colored('Spam filtering determined the message was not spam.', 'green')),
|
||||||
1 : (False, 'The message skipped spam filtering'),
|
1 : (False, 'The message skipped spam filtering'),
|
||||||
5 : (True, logger.colored('Spam filtering marked the message as Spam', 'red')),
|
5 : (True, logger.colored('Spam filtering marked the message as Spam', 'red')),
|
||||||
|
@ -4,6 +4,7 @@ import os, sys, re
|
|||||||
import string
|
import string
|
||||||
import argparse
|
import argparse
|
||||||
import yaml
|
import yaml
|
||||||
|
import textwrap
|
||||||
import json
|
import json
|
||||||
|
|
||||||
from bs4 import BeautifulSoup
|
from bs4 import BeautifulSoup
|
||||||
@ -24,6 +25,7 @@ class PhishingMailParser:
|
|||||||
self.results['Embedded Images'] = self.testEmbeddedImages()
|
self.results['Embedded Images'] = self.testEmbeddedImages()
|
||||||
self.results['Images without ALT'] = self.testImagesNoAlt()
|
self.results['Images without ALT'] = self.testImagesNoAlt()
|
||||||
self.results['Masqueraded Links'] = self.testMaskedLinks()
|
self.results['Masqueraded Links'] = self.testMaskedLinks()
|
||||||
|
self.results['Use of underline tag <u>'] = self.testUnderlineTag()
|
||||||
|
|
||||||
return {k: v for k, v in self.results.items() if v}
|
return {k: v for k, v in self.results.items() if v}
|
||||||
|
|
||||||
@ -39,6 +41,26 @@ class PhishingMailParser:
|
|||||||
|
|
||||||
return f'{beg}...{end}'
|
return f'{beg}...{end}'
|
||||||
|
|
||||||
|
def testUnderlineTag(self):
|
||||||
|
links = self.soup('u')
|
||||||
|
|
||||||
|
if not links or len(links) == 0:
|
||||||
|
return []
|
||||||
|
|
||||||
|
desc = 'Underline tags are recognized by anti-spam filters and trigger additional rule (Office365: 67856001), but by their own shouldnt impact spam score.'
|
||||||
|
result = f'- Found {len(links)} <u> tags. This is not by itself an indication of spam, but is known to trigger some rules (like Office365: 67856001)\n'
|
||||||
|
|
||||||
|
context = ''
|
||||||
|
for i in range(len(links)):
|
||||||
|
context += '\t- ' + str(links[i]) + '\n'
|
||||||
|
if i > 10: break
|
||||||
|
|
||||||
|
return {
|
||||||
|
'description' : desc,
|
||||||
|
'context' : context,
|
||||||
|
'analysis' : result
|
||||||
|
}
|
||||||
|
|
||||||
def testMaskedLinks(self):
|
def testMaskedLinks(self):
|
||||||
links = self.soup('a')
|
links = self.soup('a')
|
||||||
|
|
||||||
@ -166,6 +188,12 @@ def printOutput(out):
|
|||||||
num += 1
|
num += 1
|
||||||
analysis = v['analysis']
|
analysis = v['analysis']
|
||||||
context = v['context']
|
context = v['context']
|
||||||
|
desc = '\n'.join(textwrap.wrap(
|
||||||
|
v['description'],
|
||||||
|
width = 80,
|
||||||
|
initial_indent = '',
|
||||||
|
subsequent_indent = ' '
|
||||||
|
))
|
||||||
|
|
||||||
analysis = analysis.replace('- ', '\t- ')
|
analysis = analysis.replace('- ', '\t- ')
|
||||||
|
|
||||||
@ -173,6 +201,9 @@ def printOutput(out):
|
|||||||
------------------------------------------
|
------------------------------------------
|
||||||
({num}) Test: {k}
|
({num}) Test: {k}
|
||||||
|
|
||||||
|
DESCRIPTION:
|
||||||
|
{desc}
|
||||||
|
|
||||||
CONTEXT:
|
CONTEXT:
|
||||||
{context}
|
{context}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user