From d0b7dfd96a38d82416f0da014521c978ce726cab Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Sun, 17 Oct 2021 18:24:05 +0200 Subject: [PATCH] update --- phishing/decode-spam-headers.py | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/phishing/decode-spam-headers.py b/phishing/decode-spam-headers.py index 676b947..0ae7287 100644 --- a/phishing/decode-spam-headers.py +++ b/phishing/decode-spam-headers.py @@ -857,6 +857,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa self.results['SpamAssassin Spam Level'] = self.testSpamAssassinSpamLevel() self.results['SpamAssassin Spam Flag'] = self.testSpamAssassinSpamFlag() self.results['SpamAssassin Spam Report'] = self.testSpamAssassinSpamReport() + self.results['Message Feedback Loop'] = self.testMSFBL() return {k: v for k, v in self.results.items() if v} @@ -864,6 +865,10 @@ Results will be unsound. Make sure you have pasted your headers with correct spa def flattenLine(value): return ' '.join([x.strip() for x in value.split('\n')]) + @staticmethod + def printable(input_str): + return all(ord(c) < 127 and c in string.printable for c in input_str) + @staticmethod def extractDomain(fqdn): if not fqdn: @@ -872,6 +877,27 @@ Results will be unsound. Make sure you have pasted your headers with correct spa parts = fqdn.split('.') return '.'.join(parts[-2:]) + def testMSFBL(self): + (num, header, value) = self.getHeader('X-MSFBL') + if num == -1: return [] + + parts = value.split('|') + for p in parts: + if p.startswith('eyJ'): + decoded = base64.b64decode(p) + if SMTPHeadersAnalysis.printable(decoded): + result += f'\t- Headers contained Feedback Loop object used by marketing systems to offer ISPs way to notify the sender that recipient marked that e-mail as Junk/Spam.\n' + result += json.dumps(json.loads(decoded), indent=4) + '\n' + + if len(result) == 0: + return [] + + return { + 'header' : header, + 'value': value, + 'analysis' : result + } + def testSpamRelatedHeaders(self): result = '' tmp = ''