From d082bad8f3858246bdc2269181ae5a6287e1f215 Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Sun, 17 Oct 2021 22:07:39 +0200 Subject: [PATCH] update --- phishing/decode-spam-headers.py | 57 +++++++++++++++++++++++++-------- 1 file changed, 43 insertions(+), 14 deletions(-) diff --git a/phishing/decode-spam-headers.py b/phishing/decode-spam-headers.py index 29cb82a..0abf49e 100644 --- a/phishing/decode-spam-headers.py +++ b/phishing/decode-spam-headers.py @@ -266,6 +266,7 @@ class SMTPHeadersAnalysis: 'symantec', 'tachyon', 'tencent', 'totaldefense', 'trapmine', 'trend micro', 'trendmicro', 'trusteer', 'trustlook', 'virusblokada', 'virustotal', 'virustotalcloud', 'webroot', 'wget', 'yandex', 'yandexbot', 'zillya', 'zonealarm', 'zscaler', + 'dlp-', ) Interesting_Headers = ( @@ -287,6 +288,7 @@ class SMTPHeadersAnalysis: 'dovecot', 'roundcube', '-IP', + 'check', ) Headers_Known_For_Breaking_Line = ( @@ -1154,12 +1156,16 @@ Results will be unsound. Make sure you have pasted your headers with correct spa m1 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v1, re.I) if m1: - v1d = emailheader.decode_header(v1)[0][0].decode() + v1d = emailheader.decode_header(value)[0][0] + if type(v1d) == bytes: + v1d = v1d.decode() v1 = v1d m2 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v2, re.I) if m2: - v2d = emailheader.decode_header(v2)[0][0].decode() + v2d = emailheader.decode_header(value)[0][0] + if type(v2d) == bytes: + v2d = v2d.decode() v2 = v2d result += f'\t- Subject: {self.logger.colored(v1, "green")}\n' @@ -1433,7 +1439,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa num0 += 1 hhh = re.sub(r'(' + re.escape(dodgy) + r')', self.logger.colored(r'\1', 'red'), header, flags=re.I) - tmp += f'\t({num0:02}) {self.logger.colored("Header", "magenta")}: {hhh}\n' + tmp += f'\t({num0:02}) {self.logger.colored("Header", "magenta")}: {hhh}\n' tmp += f'\t Keyword: {dodgy}\n' tmp += f'\t Value: {value[:120]}\n\n' shown.add(header) @@ -2106,7 +2112,9 @@ Results will be unsound. Make sure you have pasted your headers with correct spa if m: num0 += 1 - value_decoded = emailheader.decode_header(value)[0][0].decode() + value_decoded = emailheader.decode_header(value)[0][0] + if type(value_decoded) == bytes: + value_decoded = value_decoded.decode() hhh = self.logger.colored(header, 'magenta') tmp += f'\t({num0:02}) Header: {hhh}\n' @@ -2140,10 +2148,14 @@ Results will be unsound. Make sure you have pasted your headers with correct spa (num, header, value) = self.getHeader('X-Microsoft-Antispam-Message-Info') if num == -1: return [] - value = emailheader.decode_header(value)[0][0].decode() + value = emailheader.decode_header(value)[0][0] + if type(value) == bytes: + value = value.decode() + result = '- Base64 encoded & encrypted Antispam Message Info:\n\n' result += value + tmp = '' tmp += f'\n\n\t- Base64 decoded Hexdump:\n\n' tmp += SMTPHeadersAnalysis.hexdump(base64.b64decode(value)) tmp += '\n\n\n' @@ -2342,18 +2354,32 @@ Results will be unsound. Make sure you have pasted your headers with correct spa } def testAuthenticationResults(self): - (num, header, value) = self.getHeader('Authentication-Results') - if num == -1: return [] - - return self._testAuthenticationResults(num, header, value) + return self._testAuthenticationResults('Authentication-Results') def testARCAuthenticationResults(self): - (num, header, value) = self.getHeader('ARC-Authentication-Results') - if num == -1: return [] + return self._testAuthenticationResults('ARC-Authentication-Results') - return self._testAuthenticationResults(num, header, value) + def _testAuthenticationResults(self, targetHeader): + headersCounted = 0 + headersCountedAll = 0 - def _testAuthenticationResults(self, num, header, value): + for (num, header, value) in self.headers: + if header.lower() == targetHeader.lower(): + headersCountedAll += 1 + + for (num, header, value) in self.headers: + if header.lower() == targetHeader.lower(): + headersCounted += 1 + out = self._testAuthenticationResultsWorker(num, header, value) + if out != []: + analysis = out['analysis'] + result = f'- There were {self.logger.colored(headersCountedAll, "magenta")} headers named {self.logger.colored(targetHeader, "magenta")}. The {headersCounted}. one is considered problematic:\n' + out['analysis'] = result + '\n' + analysis + return out + + return [] + + def _testAuthenticationResultsWorker(self, num, header, value): value = SMTPHeadersAnalysis.flattenLine(value) tests = {} result = '' @@ -2369,7 +2395,10 @@ Results will be unsound. Make sure you have pasted your headers with correct spa expected.append('bestguesspass') if k in tests.keys() and tests[k] not in expected: - result += self.logger.colored(f'- {k.upper()} test failed:', 'red') + ' Should be "pass", but was: "' + tests[k] + '"\n' + p = self.logger.colored('pass', 'green') + p2 = self.logger.colored(tests[k], 'red') + + result += self.logger.colored(f'- {k.upper()} test failed:', 'red') + f' Should be "{p}", but was: "' + p2 + '"\n' if tests[k] in SMTPHeadersAnalysis.auth_result.keys(): result += '\t- Meaning: ' + SMTPHeadersAnalysis.auth_result[tests[k]] + '\n\n'