This commit is contained in:
Mariusz B. / mgeeky 2021-11-03 03:04:24 +01:00
parent 207f62c1de
commit 62b25542a3
2 changed files with 84 additions and 19 deletions

View File

@ -119,6 +119,7 @@ Processed headers (more than **76+** headers are parsed):
- `X-SpamExperts-Evidence` - `X-SpamExperts-Evidence`
- `X-Recommended-Action` - `X-Recommended-Action`
- `X-AppInfo` - `X-AppInfo`
- `X-Spam`
Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them. Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.

View File

@ -87,6 +87,7 @@
# - X-SpamExperts-Evidence # - X-SpamExperts-Evidence
# - X-Recommended-Action # - X-Recommended-Action
# - X-AppInfo # - X-AppInfo
# - X-TM-AS-MatchedID
# #
# Usage: # Usage:
# ./decode-spam-headers [options] <smtp-headers.txt> # ./decode-spam-headers [options] <smtp-headers.txt>
@ -408,31 +409,35 @@ class SMTPHeadersAnalysis:
Security_Appliances_And_Their_Headers = \ Security_Appliances_And_Their_Headers = \
( (
('Exchange Online Protection' , 'X-EOP'),
('MS Defender For Office365' , '-Safelinks'),
('Proofpoint Email Protection' , 'X-Proofpoint'),
('Trend Micro Anti-Spam' , 'X-TMASE-'),
('Trend Micro Anti-Spam' , 'X-TM-AS-'),
('Trend Micro InterScan Messaging Security' , 'X-IMSS-'),
('Barracuda Email Security' , 'X-Barracuda-'), ('Barracuda Email Security' , 'X-Barracuda-'),
('Mimecast' , 'X-Mimecast-'), ('Cisco Advanced Malware Protection (AMP)' , 'X-Amp-'),
('FireEye Email Security Solution' , 'X-FireEye'),
('FireEye Email Security Solution' , 'X-FE-'),
('Cisco IronPort' , 'X-IronPort-'),
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-Policy'), ('Cisco IronPort / Email Security Appliance (ESA)' , 'X-Policy'),
('Cisco IronPort / Email Security Appliance (ESA)' , 'X-SBRS'), ('Cisco IronPort / Email Security Appliance (ESA)' , 'X-SBRS'),
('Sophos Email Appliance (PureMessage)' , 'X-SEA-'), ('Cisco IronPort' , 'X-IronPort-'),
('Exchange Online Protection' , 'X-EOP'),
('Exchange Server 2016 Anti-Spam' , 'SpamDiagnostic'), ('Exchange Server 2016 Anti-Spam' , 'SpamDiagnostic'),
('SpamAssassin' , 'X-Spam-'), ('FireEye Email Security Solution' , 'X-FE-'),
('SpamAssassin' , 'X-IP-Spam-'), ('FireEye Email Security Solution' , 'X-FireEye'),
('OVH Anti-Spam' , 'X-VR-'), ('Mimecast' , 'X-Mimecast-'),
('OVH Anti-Spam' , 'X-Ovh-'),
('MS Defender Advanced Threat Protection' , 'X-MS.+-Atp'),
('MS Defender Advanced Threat Protection - Safe Links' , '-ATPSafeLinks'), ('MS Defender Advanced Threat Protection - Safe Links' , '-ATPSafeLinks'),
('Cisco Advanced Malware Protection (AMP)' , 'X-Amp-'), ('MS Defender Advanced Threat Protection' , 'X-MS.+-Atp'),
('n-able Mail Assure (SpamExperts)' , 'SpamExperts-'), ('MS Defender For Office365' , '-Safelinks'),
('MS ForeFront Anti-Spam' , 'X-Microsoft-Antispam'),
('MS ForeFront Anti-Spam' , 'X-Forefront-Antispam'), ('MS ForeFront Anti-Spam' , 'X-Forefront-Antispam'),
('MS ForeFront Anti-Spam' , 'X-Microsoft-Antispam'),
('n-able Mail Assure (SpamExperts)' , 'SpamExperts-'),
('OVH Anti-Spam' , 'X-Ovh-'),
('OVH Anti-Spam' , 'X-VR-'),
('Proofpoint Email Protection' , 'X-Proofpoint'),
('Sophos Email Appliance (PureMessage)' , 'X-SEA-'),
('SpamAssassin' , 'X-IP-Spam-'),
('SpamAssassin' , 'X-Spam-'),
('Symantec Email Security' , 'X-SpamInfo'),
('Symantec Email Security' , 'X-SpamReason'),
('Symantec Email Security' , 'X-StarScan'),
('Symantec Email Security' , 'X-SYMC-'),
('Trend Micro Anti-Spam' , 'X-TM-AS-'),
('Trend Micro Anti-Spam' , 'X-TMASE-'),
('Trend Micro InterScan Messaging Security' , 'X-IMSS-'),
) )
Headers_Known_For_Breaking_Line = ( Headers_Known_For_Breaking_Line = (
@ -1541,6 +1546,8 @@ class SMTPHeadersAnalysis:
('93', 'X-SpamExperts-Evidence', self.testXSpamExpertsEvidence), ('93', 'X-SpamExperts-Evidence', self.testXSpamExpertsEvidence),
('94', 'X-Recommended-Action', self.testXRecommendedAction), ('94', 'X-Recommended-Action', self.testXRecommendedAction),
('95', 'X-AppInfo', self.testXAppInfo), ('95', 'X-AppInfo', self.testXAppInfo),
('96', 'X-Spam', self.testXSpam),
('97', 'X-TM-AS-MatchedID', self.testXTMASMatchedID),
# #
@ -2817,6 +2824,33 @@ Results will be unsound. Make sure you have pasted your headers with correct spa
'description' : '', 'description' : '',
} }
def testXTMASMatchedID(self):
(num, header, value) = self.getHeader('X-TM-AS-MatchedID')
if num == -1: return []
value = SMTPHeadersAnalysis.flattenLine(value).replace(' ', '').replace('\n', '')
try:
rules = sorted([int(x) for x in value.strip().split('-')])
result = f'- Trend Micro Anti-Spam triggered following {self.logger.colored(len(rules), "yellow")} rules on this e-mail:\n\n'
for rule in rules:
result += f'\t- {rule}\n'
except:
result = f'- Trend Micro Anti-Spam triggered following rules on this e-mail:\n\n'
result += f'{value}\n'
self.securityAppliances.add('Trend Micro Anti-Spam')
return {
'header': header,
'value' : value,
'analysis' : result,
'description' : '',
}
def testXTMASESNAP(self): def testXTMASESNAP(self):
(num, header, value) = self.getHeader('X-TMASE-SNAP-Result') (num, header, value) = self.getHeader('X-TMASE-SNAP-Result')
if num == -1: return [] if num == -1: return []
@ -5130,6 +5164,36 @@ Src: https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA
'description' : '', 'description' : '',
} }
def testXSpam(self):
(num, header, value) = self.getHeader('X-Spam')
if num == -1: return []
vvv = SMTPHeadersAnalysis.flattenLine(value).strip()
col = 'yellow'
msg = ''
if vvv.lower() == 'no':
col = 'green'
msg = 'Not a spam'
if vvv.lower() == 'yes':
col = 'red'
msg = 'This message was a Spam'
if vvv.find(' ') == -1:
vvv = vvv.upper()
vvv = self.logger.colored(vvv, col)
m = ''
if len(msg) > 0:
m = f' ({msg})'
result = f'- X-Spam was set with:\n\t- {vvv}{m}\n'
return {
'header' : header,
'value': value,
'analysis' : result,
'description' : '',
}
def testXAppInfo(self): def testXAppInfo(self):
(num, header, value) = self.getHeader('X-AppInfo') (num, header, value) = self.getHeader('X-AppInfo')
if num == -1: return [] if num == -1: return []