This commit is contained in:
Mariusz B. / mgeeky 2021-10-17 22:07:39 +02:00
parent 61c64a84e8
commit d082bad8f3
1 changed files with 43 additions and 14 deletions

View File

@ -266,6 +266,7 @@ class SMTPHeadersAnalysis:
'symantec', 'tachyon', 'tencent', 'totaldefense', 'trapmine', 'trend micro', 'trendmicro', 'symantec', 'tachyon', 'tencent', 'totaldefense', 'trapmine', 'trend micro', 'trendmicro',
'trusteer', 'trustlook', 'virusblokada', 'virustotal', 'virustotalcloud', 'webroot', 'trusteer', 'trustlook', 'virusblokada', 'virustotal', 'virustotalcloud', 'webroot',
'wget', 'yandex', 'yandexbot', 'zillya', 'zonealarm', 'zscaler', 'wget', 'yandex', 'yandexbot', 'zillya', 'zonealarm', 'zscaler',
'dlp-',
) )
Interesting_Headers = ( Interesting_Headers = (
@ -287,6 +288,7 @@ class SMTPHeadersAnalysis:
'dovecot', 'dovecot',
'roundcube', 'roundcube',
'-IP', '-IP',
'check',
) )
Headers_Known_For_Breaking_Line = ( Headers_Known_For_Breaking_Line = (
@ -1154,12 +1156,16 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
m1 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v1, re.I) m1 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v1, re.I)
if m1: if m1:
v1d = emailheader.decode_header(v1)[0][0].decode() v1d = emailheader.decode_header(value)[0][0]
if type(v1d) == bytes:
v1d = v1d.decode()
v1 = v1d v1 = v1d
m2 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v2, re.I) m2 = re.search(r'\=\?[a-z0-9\-]+\?Q\?', v2, re.I)
if m2: if m2:
v2d = emailheader.decode_header(v2)[0][0].decode() v2d = emailheader.decode_header(value)[0][0]
if type(v2d) == bytes:
v2d = v2d.decode()
v2 = v2d v2 = v2d
result += f'\t- Subject: {self.logger.colored(v1, "green")}\n' result += f'\t- Subject: {self.logger.colored(v1, "green")}\n'
@ -2106,7 +2112,9 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
if m: if m:
num0 += 1 num0 += 1
value_decoded = emailheader.decode_header(value)[0][0].decode() value_decoded = emailheader.decode_header(value)[0][0]
if type(value_decoded) == bytes:
value_decoded = value_decoded.decode()
hhh = self.logger.colored(header, 'magenta') hhh = self.logger.colored(header, 'magenta')
tmp += f'\t({num0:02}) Header: {hhh}\n' tmp += f'\t({num0:02}) Header: {hhh}\n'
@ -2140,10 +2148,14 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
(num, header, value) = self.getHeader('X-Microsoft-Antispam-Message-Info') (num, header, value) = self.getHeader('X-Microsoft-Antispam-Message-Info')
if num == -1: return [] if num == -1: return []
value = emailheader.decode_header(value)[0][0].decode() value = emailheader.decode_header(value)[0][0]
if type(value) == bytes:
value = value.decode()
result = '- Base64 encoded & encrypted Antispam Message Info:\n\n' result = '- Base64 encoded & encrypted Antispam Message Info:\n\n'
result += value result += value
tmp = ''
tmp += f'\n\n\t- Base64 decoded Hexdump:\n\n' tmp += f'\n\n\t- Base64 decoded Hexdump:\n\n'
tmp += SMTPHeadersAnalysis.hexdump(base64.b64decode(value)) tmp += SMTPHeadersAnalysis.hexdump(base64.b64decode(value))
tmp += '\n\n\n' tmp += '\n\n\n'
@ -2342,18 +2354,32 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
} }
def testAuthenticationResults(self): def testAuthenticationResults(self):
(num, header, value) = self.getHeader('Authentication-Results') return self._testAuthenticationResults('Authentication-Results')
if num == -1: return []
return self._testAuthenticationResults(num, header, value)
def testARCAuthenticationResults(self): def testARCAuthenticationResults(self):
(num, header, value) = self.getHeader('ARC-Authentication-Results') return self._testAuthenticationResults('ARC-Authentication-Results')
if num == -1: return []
return self._testAuthenticationResults(num, header, value) def _testAuthenticationResults(self, targetHeader):
headersCounted = 0
headersCountedAll = 0
def _testAuthenticationResults(self, num, header, value): for (num, header, value) in self.headers:
if header.lower() == targetHeader.lower():
headersCountedAll += 1
for (num, header, value) in self.headers:
if header.lower() == targetHeader.lower():
headersCounted += 1
out = self._testAuthenticationResultsWorker(num, header, value)
if out != []:
analysis = out['analysis']
result = f'- There were {self.logger.colored(headersCountedAll, "magenta")} headers named {self.logger.colored(targetHeader, "magenta")}. The {headersCounted}. one is considered problematic:\n'
out['analysis'] = result + '\n' + analysis
return out
return []
def _testAuthenticationResultsWorker(self, num, header, value):
value = SMTPHeadersAnalysis.flattenLine(value) value = SMTPHeadersAnalysis.flattenLine(value)
tests = {} tests = {}
result = '' result = ''
@ -2369,7 +2395,10 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
expected.append('bestguesspass') expected.append('bestguesspass')
if k in tests.keys() and tests[k] not in expected: if k in tests.keys() and tests[k] not in expected:
result += self.logger.colored(f'- {k.upper()} test failed:', 'red') + ' Should be "pass", but was: "' + tests[k] + '"\n' p = self.logger.colored('pass', 'green')
p2 = self.logger.colored(tests[k], 'red')
result += self.logger.colored(f'- {k.upper()} test failed:', 'red') + f' Should be "{p}", but was: "' + p2 + '"\n'
if tests[k] in SMTPHeadersAnalysis.auth_result.keys(): if tests[k] in SMTPHeadersAnalysis.auth_result.keys():
result += '\t- Meaning: ' + SMTPHeadersAnalysis.auth_result[tests[k]] + '\n\n' result += '\t- Meaning: ' + SMTPHeadersAnalysis.auth_result[tests[k]] + '\n\n'