updates
This commit is contained in:
parent
207f62c1de
commit
62b25542a3
|
@ -119,6 +119,7 @@ Processed headers (more than **76+** headers are parsed):
|
||||||
- `X-SpamExperts-Evidence`
|
- `X-SpamExperts-Evidence`
|
||||||
- `X-Recommended-Action`
|
- `X-Recommended-Action`
|
||||||
- `X-AppInfo`
|
- `X-AppInfo`
|
||||||
|
- `X-Spam`
|
||||||
|
|
||||||
|
|
||||||
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
|
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.
|
||||||
|
|
|
@ -87,6 +87,7 @@
|
||||||
# - X-SpamExperts-Evidence
|
# - X-SpamExperts-Evidence
|
||||||
# - X-Recommended-Action
|
# - X-Recommended-Action
|
||||||
# - X-AppInfo
|
# - X-AppInfo
|
||||||
|
# - X-TM-AS-MatchedID
|
||||||
#
|
#
|
||||||
# Usage:
|
# Usage:
|
||||||
# ./decode-spam-headers [options] <smtp-headers.txt>
|
# ./decode-spam-headers [options] <smtp-headers.txt>
|
||||||
|
@ -408,31 +409,35 @@ class SMTPHeadersAnalysis:
|
||||||
|
|
||||||
Security_Appliances_And_Their_Headers = \
|
Security_Appliances_And_Their_Headers = \
|
||||||
(
|
(
|
||||||
('Exchange Online Protection' , 'X-EOP'),
|
|
||||||
('MS Defender For Office365' , '-Safelinks'),
|
|
||||||
('Proofpoint Email Protection' , 'X-Proofpoint'),
|
|
||||||
('Trend Micro Anti-Spam' , 'X-TMASE-'),
|
|
||||||
('Trend Micro Anti-Spam' , 'X-TM-AS-'),
|
|
||||||
('Trend Micro InterScan Messaging Security' , 'X-IMSS-'),
|
|
||||||
('Barracuda Email Security' , 'X-Barracuda-'),
|
('Barracuda Email Security' , 'X-Barracuda-'),
|
||||||
('Mimecast' , 'X-Mimecast-'),
|
('Cisco Advanced Malware Protection (AMP)' , 'X-Amp-'),
|
||||||
('FireEye Email Security Solution' , 'X-FireEye'),
|
|
||||||
('FireEye Email Security Solution' , 'X-FE-'),
|
|
||||||
('Cisco IronPort' , 'X-IronPort-'),
|
|
||||||
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-Policy'),
|
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-Policy'),
|
||||||
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-SBRS'),
|
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-SBRS'),
|
||||||
('Sophos Email Appliance (PureMessage)' , 'X-SEA-'),
|
('Cisco IronPort' , 'X-IronPort-'),
|
||||||
|
('Exchange Online Protection' , 'X-EOP'),
|
||||||
('Exchange Server 2016 Anti-Spam' , 'SpamDiagnostic'),
|
('Exchange Server 2016 Anti-Spam' , 'SpamDiagnostic'),
|
||||||
('SpamAssassin' , 'X-Spam-'),
|
('FireEye Email Security Solution' , 'X-FE-'),
|
||||||
('SpamAssassin' , 'X-IP-Spam-'),
|
('FireEye Email Security Solution' , 'X-FireEye'),
|
||||||
('OVH Anti-Spam' , 'X-VR-'),
|
('Mimecast' , 'X-Mimecast-'),
|
||||||
('OVH Anti-Spam' , 'X-Ovh-'),
|
|
||||||
('MS Defender Advanced Threat Protection' , 'X-MS.+-Atp'),
|
|
||||||
('MS Defender Advanced Threat Protection - Safe Links' , '-ATPSafeLinks'),
|
('MS Defender Advanced Threat Protection - Safe Links' , '-ATPSafeLinks'),
|
||||||
('Cisco Advanced Malware Protection (AMP)' , 'X-Amp-'),
|
('MS Defender Advanced Threat Protection' , 'X-MS.+-Atp'),
|
||||||
('n-able Mail Assure (SpamExperts)' , 'SpamExperts-'),
|
('MS Defender For Office365' , '-Safelinks'),
|
||||||
('MS ForeFront Anti-Spam' , 'X-Microsoft-Antispam'),
|
|
||||||
('MS ForeFront Anti-Spam' , 'X-Forefront-Antispam'),
|
('MS ForeFront Anti-Spam' , 'X-Forefront-Antispam'),
|
||||||
|
('MS ForeFront Anti-Spam' , 'X-Microsoft-Antispam'),
|
||||||
|
('n-able Mail Assure (SpamExperts)' , 'SpamExperts-'),
|
||||||
|
('OVH Anti-Spam' , 'X-Ovh-'),
|
||||||
|
('OVH Anti-Spam' , 'X-VR-'),
|
||||||
|
('Proofpoint Email Protection' , 'X-Proofpoint'),
|
||||||
|
('Sophos Email Appliance (PureMessage)' , 'X-SEA-'),
|
||||||
|
('SpamAssassin' , 'X-IP-Spam-'),
|
||||||
|
('SpamAssassin' , 'X-Spam-'),
|
||||||
|
('Symantec Email Security' , 'X-SpamInfo'),
|
||||||
|
('Symantec Email Security' , 'X-SpamReason'),
|
||||||
|
('Symantec Email Security' , 'X-StarScan'),
|
||||||
|
('Symantec Email Security' , 'X-SYMC-'),
|
||||||
|
('Trend Micro Anti-Spam' , 'X-TM-AS-'),
|
||||||
|
('Trend Micro Anti-Spam' , 'X-TMASE-'),
|
||||||
|
('Trend Micro InterScan Messaging Security' , 'X-IMSS-'),
|
||||||
)
|
)
|
||||||
|
|
||||||
Headers_Known_For_Breaking_Line = (
|
Headers_Known_For_Breaking_Line = (
|
||||||
|
@ -1541,6 +1546,8 @@ class SMTPHeadersAnalysis:
|
||||||
('93', 'X-SpamExperts-Evidence', self.testXSpamExpertsEvidence),
|
('93', 'X-SpamExperts-Evidence', self.testXSpamExpertsEvidence),
|
||||||
('94', 'X-Recommended-Action', self.testXRecommendedAction),
|
('94', 'X-Recommended-Action', self.testXRecommendedAction),
|
||||||
('95', 'X-AppInfo', self.testXAppInfo),
|
('95', 'X-AppInfo', self.testXAppInfo),
|
||||||
|
('96', 'X-Spam', self.testXSpam),
|
||||||
|
('97', 'X-TM-AS-MatchedID', self.testXTMASMatchedID),
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -2817,6 +2824,33 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
|
||||||
'description' : '',
|
'description' : '',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def testXTMASMatchedID(self):
|
||||||
|
(num, header, value) = self.getHeader('X-TM-AS-MatchedID')
|
||||||
|
if num == -1: return []
|
||||||
|
|
||||||
|
value = SMTPHeadersAnalysis.flattenLine(value).replace(' ', '').replace('\n', '')
|
||||||
|
|
||||||
|
try:
|
||||||
|
rules = sorted([int(x) for x in value.strip().split('-')])
|
||||||
|
|
||||||
|
result = f'- Trend Micro Anti-Spam triggered following {self.logger.colored(len(rules), "yellow")} rules on this e-mail:\n\n'
|
||||||
|
|
||||||
|
for rule in rules:
|
||||||
|
result += f'\t- {rule}\n'
|
||||||
|
|
||||||
|
except:
|
||||||
|
result = f'- Trend Micro Anti-Spam triggered following rules on this e-mail:\n\n'
|
||||||
|
result += f'{value}\n'
|
||||||
|
|
||||||
|
self.securityAppliances.add('Trend Micro Anti-Spam')
|
||||||
|
|
||||||
|
return {
|
||||||
|
'header': header,
|
||||||
|
'value' : value,
|
||||||
|
'analysis' : result,
|
||||||
|
'description' : '',
|
||||||
|
}
|
||||||
|
|
||||||
def testXTMASESNAP(self):
|
def testXTMASESNAP(self):
|
||||||
(num, header, value) = self.getHeader('X-TMASE-SNAP-Result')
|
(num, header, value) = self.getHeader('X-TMASE-SNAP-Result')
|
||||||
if num == -1: return []
|
if num == -1: return []
|
||||||
|
@ -5130,6 +5164,36 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
|
||||||
'description' : '',
|
'description' : '',
|
||||||
}
|
}
|
||||||
|
|
||||||
|
def testXSpam(self):
|
||||||
|
(num, header, value) = self.getHeader('X-Spam')
|
||||||
|
if num == -1: return []
|
||||||
|
|
||||||
|
vvv = SMTPHeadersAnalysis.flattenLine(value).strip()
|
||||||
|
col = 'yellow'
|
||||||
|
msg = ''
|
||||||
|
if vvv.lower() == 'no':
|
||||||
|
col = 'green'
|
||||||
|
msg = 'Not a spam'
|
||||||
|
if vvv.lower() == 'yes':
|
||||||
|
col = 'red'
|
||||||
|
msg = 'This message was a Spam'
|
||||||
|
if vvv.find(' ') == -1:
|
||||||
|
vvv = vvv.upper()
|
||||||
|
|
||||||
|
vvv = self.logger.colored(vvv, col)
|
||||||
|
m = ''
|
||||||
|
if len(msg) > 0:
|
||||||
|
m = f' ({msg})'
|
||||||
|
|
||||||
|
result = f'- X-Spam was set with:\n\t- {vvv}{m}\n'
|
||||||
|
|
||||||
|
return {
|
||||||
|
'header' : header,
|
||||||
|
'value': value,
|
||||||
|
'analysis' : result,
|
||||||
|
'description' : '',
|
||||||
|
}
|
||||||
|
|
||||||
def testXAppInfo(self):
|
def testXAppInfo(self):
|
||||||
(num, header, value) = self.getHeader('X-AppInfo')
|
(num, header, value) = self.getHeader('X-AppInfo')
|
||||||
if num == -1: return []
|
if num == -1: return []
|
||||||
|
|
Loading…
Reference in New Issue