update

2025-11-04 04:55:26 +01:00 · 2021-10-17 19:16:52 +02:00
parent 3a609949bf
commit d11d4d1e8c
2 changed files with 21 additions and 0 deletions
--- a/phishing/README.md
+++ b/phishing/README.md
@@ -34,6 +34,7 @@
  - `X-Ovh-Spam-Reason`
  - `X-VR-SPAMCAUSE`
  - `X-VR-SPAMSCORE`
+  - `X-Virus-Scanned`
  - and more...

  Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
--- a/phishing/decode-spam-headers.py
+++ b/phishing/decode-spam-headers.py
@@ -31,6 +31,7 @@
 #   - X-Ovh-Spam-Reason
 #   - X-VR-SPAMCAUSE
 #   - X-VR-SPAMSCORE
+#   - X-Virus-Scanned
 #
 # Usage:
 #   ./decode-spam-headers [options] <smtp-headers.txt>
@@ -248,6 +249,8 @@ class SMTPHeadersAnalysis:
        'atp', 
        'defend', 
        'assassin',
+        'virus',
+        'scan'
    )

    Interesting_Headers = (
@@ -293,6 +296,7 @@ class SMTPHeadersAnalysis:
        'X-Ovh-Spam-Reason',
        'X-VR-SPAMSCORE',
        'X-VR-SPAMCAUSE',
+        'X-Virus-Scanned',
    )

    auth_result = {
@@ -901,6 +905,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
        self.results['OVH\'s X-VR-SPAMCAUSE']                   = self.testSpamCause()
        self.results['OVH\'s X-Ovh-Spam-Reason']                = self.testOvhSpamReason()
        self.results['OVH\'s X-Ovh-Spam-Score']                 = self.testOvhSpamScore()
+        self.results['X-Virus-Scan']                            = self.testXVirusScan()

        return {k: v for k, v in self.results.items() if v}

@@ -966,6 +971,21 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
            lines.append(line)
        return '\n'.join(lines)

+    def testXVirusScan(self):
+        (num, header, value) = self.getHeader('X-Virus-Scanned')
+        if num == -1: return []
+
+        result = f'- Message was scanned with an Anti-Virus.'
+
+        if len(result) == 0:
+            return []
+
+        return {
+            'header' : header,
+            'value': value,
+            'analysis' : result
+        }
+
    def testOvhSpamScore(self):
        (num, header, value) = self.getHeader('X-VR-SPAMSCORE')
        if num == -1: return []