mirror of
https://github.com/mgeeky/decode-spam-headers.git
synced 2024-11-24 03:21:37 +01:00
update
This commit is contained in:
parent
b5d6984db7
commit
3572f36d73
31
README.md
31
README.md
@ -1,4 +1,13 @@
|
|||||||
## `decode-spam-headers.py`
|
# decode-spam-headers.py
|
||||||
|
|
||||||
|
Whether you are trying to understand why a specific e-mail ended up in SPAM/Junk for your daily Administrative duties or for your Red-Team Phishing simulation purposes, this script is there for you to help!
|
||||||
|
|
||||||
|
Idea arose while delivering a commercial Phishing Simulation exercises against MS Office365 E5 estate, equipped with MS Defender for Office365. As one can imagine, pretty tough security stack to work with from a phishing-simulation perspective.
|
||||||
|
After digging manually through all these Office365 SMTP headers and trying to cherry-pick these SCL values, time come to write up a proper parser for SMTP headers.
|
||||||
|
|
||||||
|
Time went by, I was adding support for more and more SMTP headers - and here we have it. Tool that now comprehends tens of different headers.
|
||||||
|
|
||||||
|
## Info
|
||||||
|
|
||||||
This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **79+** tests will attempt to decode them as much as possible.
|
This tool accepts on input an `*.EML` or `*.txt` file with all the SMTP headers. It will then extract a subset of interesting headers and using **79+** tests will attempt to decode them as much as possible.
|
||||||
|
|
||||||
@ -7,7 +16,7 @@ This script also extracts all IPv4 addresses and domain names and performs full
|
|||||||
Resulting output will contain useful information on why this e-mail might have been blocked.
|
Resulting output will contain useful information on why this e-mail might have been blocked.
|
||||||
|
|
||||||
|
|
||||||
### Example screenshots
|
### Example Screenshots
|
||||||
|
|
||||||
- Chain of MTA servers (nicely parsed `Received` headers):
|
- Chain of MTA servers (nicely parsed `Received` headers):
|
||||||
|
|
||||||
@ -234,7 +243,7 @@ C:\> py decode-spam-headers.py -l tests
|
|||||||
|
|
||||||
### Sample run
|
### Sample run
|
||||||
|
|
||||||
Sample run:
|
Sample run (output structure and contents come from an outdated version of the script):
|
||||||
|
|
||||||
```
|
```
|
||||||
PS> py decode-spam-headers.py headers.txt
|
PS> py decode-spam-headers.py headers.txt
|
||||||
@ -460,3 +469,19 @@ ANALYSIS:
|
|||||||
- Mail's domain should resolve to: amazonaws.com
|
- Mail's domain should resolve to: amazonaws.com
|
||||||
- But instead first hop resolved to: arubacloud.pl
|
- But instead first hop resolved to: arubacloud.pl
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
### ☕ Show Support ☕
|
||||||
|
|
||||||
|
This and other projects are outcome of sleepless nights and **plenty of hard work**. If you like what I do and appreciate that I always give back to the community,
|
||||||
|
[Consider buying me a coffee](https://github.com/sponsors/mgeeky) _(or better a beer)_ just to say thank you! 💪
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
```
|
||||||
|
Mariusz Banach / mgeeky, (@mariuszbit)
|
||||||
|
<mb [at] binary-offensive.com>
|
||||||
|
```
|
Loading…
Reference in New Issue
Block a user