diff --git a/phishing/README.md b/phishing/README.md index 1981121..0257136 100644 --- a/phishing/README.md +++ b/phishing/README.md @@ -34,6 +34,7 @@ - `X-Ovh-Spam-Reason` - `X-VR-SPAMCAUSE` - `X-VR-SPAMSCORE` + - `X-Virus-Scanned` - and more... Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them. diff --git a/phishing/decode-spam-headers.py b/phishing/decode-spam-headers.py index 54acea1..6952998 100644 --- a/phishing/decode-spam-headers.py +++ b/phishing/decode-spam-headers.py @@ -31,6 +31,7 @@ # - X-Ovh-Spam-Reason # - X-VR-SPAMCAUSE # - X-VR-SPAMSCORE +# - X-Virus-Scanned # # Usage: # ./decode-spam-headers [options] @@ -248,6 +249,8 @@ class SMTPHeadersAnalysis: 'atp', 'defend', 'assassin', + 'virus', + 'scan' ) Interesting_Headers = ( @@ -293,6 +296,7 @@ class SMTPHeadersAnalysis: 'X-Ovh-Spam-Reason', 'X-VR-SPAMSCORE', 'X-VR-SPAMCAUSE', + 'X-Virus-Scanned', ) auth_result = { @@ -901,6 +905,7 @@ Results will be unsound. Make sure you have pasted your headers with correct spa self.results['OVH\'s X-VR-SPAMCAUSE'] = self.testSpamCause() self.results['OVH\'s X-Ovh-Spam-Reason'] = self.testOvhSpamReason() self.results['OVH\'s X-Ovh-Spam-Score'] = self.testOvhSpamScore() + self.results['X-Virus-Scan'] = self.testXVirusScan() return {k: v for k, v in self.results.items() if v} @@ -966,6 +971,21 @@ Results will be unsound. Make sure you have pasted your headers with correct spa lines.append(line) return '\n'.join(lines) + def testXVirusScan(self): + (num, header, value) = self.getHeader('X-Virus-Scanned') + if num == -1: return [] + + result = f'- Message was scanned with an Anti-Virus.' + + if len(result) == 0: + return [] + + return { + 'header' : header, + 'value': value, + 'analysis' : result + } + def testOvhSpamScore(self): (num, header, value) = self.getHeader('X-VR-SPAMSCORE') if num == -1: return []