From 2eec0b5f47a6d59dc8e2c367b079fae6c422c64c Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Wed, 7 Sep 2022 16:05:09 +0200 Subject: [PATCH] Added 'Unusual SMTP Headers' test --- README.md | 9 +++++++-- decode-spam-headers.py | 3 +++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index b10e972..9eb0aa4 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ Time went by, I was adding support for more and more SMTP headers - and here we ## Info -This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **95+** tests will attempt to decode them as much as possible. +This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **105+** tests will attempt to decode them as much as possible. This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them. @@ -130,6 +130,9 @@ Processed headers (more than **85+** headers are parsed): - `X-MS-Exchange-ExternalOriginalInternetSender` - `X-CNFS-Analysis` - `X-Authenticated-Sender` +- `X-Apparently-From` +- `X-Env-Sender` +- `Sender` Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them. @@ -323,7 +326,7 @@ C:\> py decode-spam-headers.py -l tests 2 - Extracted IP addresses 3 - Extracted Domains 4 - Bad Keywords In Headers - 5 - From Address Analysis + 5 - Sender Address Analysis 6 - Subject and Thread Topic Difference 7 - Authentication-Results 8 - ARC-Authentication-Results @@ -422,6 +425,8 @@ C:\> py decode-spam-headers.py -l tests 102 - EOP - Enhanced Filtering - ExternalOriginalInternetSender 103 - Cloudmark Analysis 104 - The Real Sender - via Authenticated-Sender + 105 - Identified Sender Addresses + 106 - Unsual SMTP headers ``` diff --git a/decode-spam-headers.py b/decode-spam-headers.py index 38bd1d3..c81f251 100644 --- a/decode-spam-headers.py +++ b/decode-spam-headers.py @@ -94,6 +94,9 @@ # - X-MS-Exchange-ExternalOriginalInternetSender # - X-CNFS-Analysis # - X-Authenticated-Sender +# - X-Apparently-From +# - X-Env-Sender +# - Sender # # Usage: # ./decode-spam-headers [options]