decode-spam-headers.py

Whether you are trying to understand why a specific e-mail ended up in SPAM/Junk for your daily Administrative duties or for your Red-Team Phishing simulation purposes, this script is there for you to help!

Idea arose while delivering a commercial Phishing Simulation exercises against MS Office365 E5 estate, equipped with MS Defender for Office365. As one can imagine, pretty tough security stack to work with from a phishing-simulation perspective. After digging manually through all these Office365 SMTP headers and trying to cherry-pick these SCL values, time come to write up a proper parser for SMTP headers.

Time went by, I was adding support for more and more SMTP headers - and here we have it. Tool that now comprehends tens of different headers.

Info

This tool accepts on input an *.EML or *.txt file with all the SMTP headers. It will then extract a subset of interesting headers and using 79+ tests will attempt to decode them as much as possible.

This script also extracts all IPv4 addresses and domain names and performs full DNS resolution of them.

Resulting output will contain useful information on why this e-mail might have been blocked.

In order to embellish your Phishing HTML code before sending it to your client, you might also want feed it into my phishing-HTML-linter.py. It does pretty decent job finding bad smells in your HTML that will get your e-mail with increased Spam-score.

Example Screenshots

Chain of MTA servers (nicely parsed Received headers):

Various headers decoded as much as possible, according to publicly available documentation (here Office365 ForeFront Spam Report):

Different custom heuristics implement to actively validate and seek for clues of spam categorization, here logic detecting Domain Impersonation:

Script attempts to reverse-engineer and document some of the Office365 Anti-Spam rules, as well as collect public knowledge about other opaque Anti-Spam headers:

Processed headers

Processed headers (more than 67+ headers are parsed):

X-forefront-antispam-report
X-exchange-antispam
X-exchange-antispam-mailbox-delivery
X-exchange-antispam-message-info
X-microsoft-antispam-report-cfa-test
Received
From
To
Subject
Thread-topic
Received-spf
X-mailer
X-originating-ip
User-agent
X-forefront-antispam-report
X-microsoft-antispam-mailbox-delivery
X-microsoft-antispam
X-exchange-antispam-report-cfa-test
X-spam-status
X-spam-level
X-spam-flag
X-spam-report
X-vr-spamcause
X-ovh-spam-reason
X-vr-spamscore
X-virus-scanned
X-spam-checker-version
X-ironport-av
X-ironport-anti-spam-filtered
X-ironport-anti-spam-result
X-mimecast-spam-score
Spamdiagnosticmetadata
X-ms-exchange-atpmessageproperties
X-msfbl
X-ms-exchange-transport-endtoendlatency
X-ms-oob-tlc-oobclassifiers
X-ip-spam-verdict
X-amp-result
X-ironport-remoteip
X-ironport-reputation
X-sbrs
X-ironport-sendergroup
X-policy
X-ironport-mailflowpolicy
X-remote-ip
X-sea-spam
X-fireeye
X-antiabuse
X-tmase-version
X-tm-as-product-ver
X-tm-as-result
X-imss-scan-details
X-tm-as-user-approved-sender
X-tm-as-user-blocked-sender
X-tmase-result
X-tmase-snap-result
X-imss-dkim-white-list
X-tm-as-result-xfilter
X-tm-as-smtp
X-scanned-by
X-mimecast-spam-signature
X-mimecast-bulk-signature
X-sender-ip
X-forefront-antispam-report-untrusted
X-microsoft-antispam-untrusted
X-sophos-senderhistory
X-sophos-rescan

Most of these headers are not fully documented, therefore the script is unable to pinpoint all the details, but at least it collects all I could find on them.

Reverse-Engineering efforts

I'm making signifcant efforts to spot and understand different Office365 ForeFront Anti-Spam ruls (SFS, ENG) despite them not being publicly documented.

------------------------------------------
(5) Test: X-Forefront-Antispam-Report

HEADER:
    X-Forefront-Antispam-Report

VALUE:
    CIP:209.85.167.100;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail-lf1-f100.google.com;PTR:mail-l
    f1-f100.google.com;CAT:DIMP;SFTY:9.19;SFS:(4636009)(956004)(166002)(6916009)(356005)(336012)(19
    625305002)(22186003)(5660300002)(4744005)(6666004)(35100500006)(82960400001)(26005)(7596003)(7636003)(554460
    02)(224303003)(1096003)(58800400005)(86362001)(9686003)(43540500002);DIR:INB;SFTY:9.19;

[...]

        - Message matched 24 Anti-Spam rules (SFS):           <============ opaque anti-spam rules
                - (1096003)
                - (166002)
                - (19625305002)
                - (22186003)
                - (224303003)
                - (26005)
                - (336012)
                - (356005)
                - (35100500006)         - (SPAM) Message contained embedded image.

The process is purely manual and resorts to sending specifically designed mails to the Office365 mail servers and then manually reviewing and correlating collected rules.

Having sent more than 60 mails already, this is what I can tell by now about Microsoft's rules:

tag in body. '67856001' : 'HTML mail body contained underline tag.', # message with html,head,body and body containing simple text with no b/i/u formatting. '579124003' : 'HTML mail body contained text, but no text formatting (, , ) was present', # This is a strong signal. Mails without doesnt have this rule. '166002' : 'HTML mail body contained URL link.', # Message contained tag with URL containing GET parameter: ex. href="https://foo.bar/file?aaa=bbb"', # Message contained tag with URL containing GET parameter with value of another URL: ex. href="https://foo.bar/file?aaa=https://baz.xyz/"', # Message contained with href pointing to a file with dangerous extension, such as file.exe '460985005' : 'Mail body contained HTML tag with href URL pointing to a file with dangerous extension (such as .exe)', # # Message1: GoPhish -> VPS 587/tcp redirector -> smtp.gmail.com:587 -> target # Message2: GoPhish -> VPS 587/tcp redirector -> smtp-relay.gmail.com:587 -> target # # These were the only differences I spotted: # Message1 - FirstHop Gmail SMTP Received with ESMTPS. # Message2 - FirstHop Gmail SMTP-Relay Received with ESMTPSA. # '121216002' : 'First Hop MTA SMTP Server used as a SMTP Relay. It\'s known to originate e-mails, but here it acted as a Relay. Or maybe due to use of "with ESMTPSA" instead of ESMTPS?', } ">
# # Below rules were collected solely in a trial-and-error manner or by scraping any # pieces of information from all around the Internet. # # They do not represent the actual Anti-Spam rule name or context and surely represent # something close to what is understood (or they may have totally different meaning). # # Until we'll be able to review anti-spam rules documention, there is no viable mean to map # rule ID to its meaning. # Anti_Spam_Rules_ReverseEngineered = \ { '35100500006' : logger.colored('(SPAM) Message contained embedded image.', 'red'), # https://docs.microsoft.com/en-us/answers/questions/416100/what-is-meanings-of-39x-microsoft-antispam-mailbox.html '520007050' : logger.colored('(SPAM) Moved message to Spam and created Email Rule to move messages from this particular sender to Junk.', 'red'), # triggered on an empty mail with subject being: "test123 - viagra" '162623004' : 'Subject line contained suspicious words (like Viagra).', # triggered on mail with subject "test123" and body being single word "viagra" '19618925003' : 'Mail body contained suspicious words (like Viagra).', # triggered on mail with empty body and subject "Click here" '28233001' : 'Subject line contained suspicious words luring action (ex. "Click here"). ', # triggered on a mail with test subject and 1500 words of http://nietzsche-ipsum.com/ '30864003' : 'Mail body contained a lot of text (more than 10.000 characters).', # mails that had simple message such as "Hello world" triggered this rule, whereas mails with # more than 150 words did not. '564344004' : 'HTML mail body with less than 150 words of text (not sure how much less though)', # message was sent with a basic html and only one tag in body. '67856001' : 'HTML mail body contained underline tag.', # message with html,head,body and body containing simple text with no b/i/u formatting. '579124003' : 'HTML mail body contained text, but no text formatting (, , ) was present', # This is a strong signal. Mails without doesnt have this rule. '166002' : 'HTML mail body contained URL link.', # Message contained '21615005' : 'Mail body contained tag with URL containing GET parameter: ex. href="https://foo.bar/file?aaa=bbb"', # Message contained # - GET parameter with value, being a URL to another website '45080400002' : 'Mail body contained tag with URL containing GET parameter with value of another URL: ex. href="https://foo.bar/file?aaa=https://baz.xyz/"', # Message contained with href pointing to a file with dangerous extension, such as file.exe '460985005' : 'Mail body contained HTML tag with href URL pointing to a file with dangerous extension (such as .exe)', # # Message1: GoPhish -> VPS 587/tcp redirector -> smtp.gmail.com:587 -> target # Message2: GoPhish -> VPS 587/tcp redirector -> smtp-relay.gmail.com:587 -> target # # These were the only differences I spotted: # Message1 - FirstHop Gmail SMTP Received with ESMTPS. # Message2 - FirstHop Gmail SMTP-Relay Received with ESMTPSA. # '121216002' : 'First Hop MTA SMTP Server used as a SMTP Relay. It\'s known to originate e-mails, but here it acted as a Relay. Or maybe due to use of "with ESMTPSA" instead of ESMTPS?', }

Should you know anything about any other Office365 anti-spam rules (or have suggestions to the ones described above) - let me know in this repo's issues, I'll add it straight away :)

Usage

Help:

PS> py .\decode-spam-headers.py --help usage: decode-spam-headers.py [options] optional arguments: -h, --help show this help message and exit Required arguments: infile Input file to be analysed or --list tests to show available tests. Options: -o OUTFILE, --outfile OUTFILE Output file with report -f {json,text}, --format {json,text} Analysis report format. JSON, text. Default: text -N, --nocolor Dont use colors in text output. -v, --verbose Verbose mode. -d, --debug Debug mode. -l, --list List available tests and quit. Use it like so: --list tests Tests: -i tests, --include-tests tests Comma-separated list of test IDs to run. Ex. --include-tests 1,3,7 -e tests, --exclude-tests tests Comma-separated list of test IDs to skip. Ex. --exclude-tests 1,3,7 -r, --resolve Resolve IPv4 addresses / Domain names. -a, --decode-all Decode all =?us-ascii?Q? mail encoded messages and print their contents.

If you want to run only a subset of tests, you'll first need to learn Test IDs of which to pick. Run the script with -l tests to grab that list.

List available test and their corresponding IDs:

C:\> py decode-spam-headers.py -l tests [.] Available tests: TEST_ID - TEST_NAME -------------------------------------- 1 - Received - Mail Servers Flow 2 - Extracted IP addresses 3 - Extracted Domains 4 - Bad Keywords In Headers 5 - From Address Analysis 6 - Subject and Thread Topic Difference 7 - Authentication-Results 8 - ARC-Authentication-Results 9 - Received-SPF 10 - Mail Client Version 11 - User-Agent Version 12 - X-Forefront-Antispam-Report 13 - X-MS-Exchange-Organization-SCL 14 - X-Microsoft-Antispam-Mailbox-Delivery 15 - X-Microsoft-Antispam Bulk Mail 16 - X-Exchange-Antispam-Report-CFA-Test 17 - Domain Impersonation 18 - SpamAssassin Spam Status 19 - SpamAssassin Spam Level 20 - SpamAssassin Spam Flag 21 - SpamAssassin Spam Report 22 - OVH's X-VR-SPAMCAUSE 23 - OVH's X-Ovh-Spam-Reason 24 - OVH's X-Ovh-Spam-Score 25 - X-Virus-Scan 26 - X-Spam-Checker-Version 27 - X-IronPort-AV 28 - X-IronPort-Anti-Spam-Filtered 29 - X-IronPort-Anti-Spam-Result 30 - X-Mimecast-Spam-Score 31 - Spam Diagnostics Metadata 32 - MS Defender ATP Message Properties 33 - Message Feedback Loop 34 - End-to-End Latency - Message Delivery Time 35 - X-MS-Oob-TLC-OOBClassifiers 36 - X-IP-Spam-Verdict 37 - X-Amp-Result 38 - X-IronPort-RemoteIP 39 - X-IronPort-Reputation 40 - X-SBRS 41 - X-IronPort-SenderGroup 42 - X-Policy 43 - X-IronPort-MailFlowPolicy 44 - X-SEA-Spam 45 - X-FireEye 46 - X-AntiAbuse 47 - X-TMASE-Version 48 - X-TM-AS-Product-Ver 49 - X-TM-AS-Result 50 - X-IMSS-Scan-Details 51 - X-TM-AS-User-Approved-Sender 52 - X-TM-AS-User-Blocked-Sender 53 - X-TMASE-Result 54 - X-TMASE-SNAP-Result 55 - X-IMSS-DKIM-White-List 56 - X-TM-AS-Result-Xfilter 57 - X-TM-AS-SMTP 58 - X-TMASE-SNAP-Result 59 - X-TM-Authentication-Results 60 - X-Scanned-By 61 - X-Mimecast-Spam-Signature 62 - X-Mimecast-Bulk-Signature 63 - X-Forefront-Antispam-Report-Untrusted 64 - X-Microsoft-Antispam-Untrusted 65 - X-Mimecast-Impersonation-Protect 66 - X-Proofpoint-Spam-Details 67 - X-Proofpoint-Virus-Version 68 - SPFCheck 69 - X-Barracuda-Spam-Score 70 - X-Barracuda-Spam-Status 71 - X-Barracuda-Spam-Report 72 - X-Barracuda-Bayes 73 - X-Barracuda-Start-Time 74 - Similar to SpamAssassin Spam Level headers 75 - SMTP Header Contained IP address 76 - Other unrecognized Spam Related Headers 77 - Other interesting headers 78 - Security Appliances Spotted 79 - Email Providers Infrastructure Clues 80 - X-Microsoft-Antispam-Message-Info 81 - Decoded Mail-encoded header values 82 - Header Containing Client IP

Sample run

Sample run (output structure and contents come from an outdated version of the script):

|_> (2) SMTP-SERVICE (44.55.66.77) time: 01 Jan 2021 12:34:20 |_> (3) mail-wr1-f51.google.com (209.85.221.51) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (4) SN1NAM02FT0061.eop-nam02.prod.protection.outlook.com (2603:10b6:806:131:cafe::e5) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (5) SA0PR11CA0138.namprd11.prod.outlook.com (2603:10b6:806:131::23) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (6) CP2PR80MB4114.lamprd80.prod.outlook.com (2603:10d6:102:3c::15) time: 01 Jan 2021 12:34:23 |_> (7) "Victim Surname" ------------------------------------------ [...] ------------------------------------------ (4) Test: Mail Client Version HEADER: X-Mailer VALUE: OEM ANALYSIS: - X-Mailer header was present and contained value: "OEM". ------------------------------------------ (5) Test: X-Forefront-Antispam-Report HEADER: X-Forefront-Antispam-Report VALUE: CIP:209.85.167.100;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail-lf1-f100.google.com;PTR:mail-l f1-f100.google.com;CAT:DIMP;SFTY:9.19;SFS:(4636009)(956004)(166002)(6916009)(356005)(336012)(19 625305002)(22186003)(5660300002)(4744005)(6666004)(35100500006)(82960400001)(26005)(7596003)(7636003)(554460 02)(224303003)(1096003)(58800400005)(86362001)(9686003)(43540500002);DIR:INB;SFTY:9.19; ANALYSIS: - Microsoft Office365/Exchange ForeFront Anti-Spam report - CIP: Connecting IP address: 209.85.167.100 - CTRY: The source country as determined by the connecting IP address - US - LANG: The language in which the message was written - de - IPV: Ingress Peer Verification status - NLI: The IP address was not found on any IP reputation list. - SFV: Message Filtering - SPM: The message was marked as spam by spam filtering. - H: The HELO or EHLO string of the connecting email server. - mail-lf1-f100.google.com - PTR: Reverse DNS of the Connecting IP peer's address - mail-lf1-f100.google.com - CAT: The category of protection policy - DIMP: Domain Impersonation - SFTY: The message was identified as phishing - 9.19: Domain impersonation. The sending domain is attempting to impersonate a protected domain - DIR: Direction of email verification - INB: Inbound email verification - Message matched 24 Anti-Spam rules (SFS): - (1096003) - (166002) - (19625305002) - (22186003) - (224303003) - (26005) - (336012) - (356005) - (35100500006) - (SPAM) Message contained embedded image. - (43540500002) - (4636009) - (4744005) - (55446002) - (5660300002) - (58800400005) - (6666004) - (6916009) - (7596003) - (7636003) - (82960400001) - (86362001) - (956004) - (9686003) - SCL: Spam Confidence Level: 5 - SPAM: Spam filtering marked the message as Spam More information: - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers - https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels - https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results ------------------------------------------ (6) Test: X-Microsoft-Antispam-Mailbox-Delivery HEADER: X-Microsoft-Antispam-Mailbox-Delivery VALUE: ucf:0;jmr:1;auth:0;dest:J;ENG:(910001)(944506458)(944626604)(750132)(520011016); ANALYSIS: - This header denotes what to do with received message, where to put it. - auth: Message originating from Authenticated sender - 0: Not Authenticated - dest: Destination where message should be placed - J: JUNK directory - Message matched 6 Anti-Spam Delivery rules: - (520011016) - (750132) - (910001) - (944506458) - (944626604) ------------------------------------------ (7) Test: X-Microsoft-Antispam Bulk Mail HEADER: X-Microsoft-Antispam VALUE: BCL:0; ANALYSIS: - BCL: BULK Confidence Level: 0 The message isn't from a bulk sender. More information: - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values ------------------------------------------ [...] ------------------------------------------ (10) Test: MS Defender ATP Message Properties HEADER: X-MS-Exchange-AtpMessageProperties VALUE: SA|SL ANALYSIS: - MS Defender Advanced Threat Protection enabled following protections on this message: - Safe Attachments Protection - Safe Links Protection ------------------------------------------ (11) Test: Domain Impersonation HEADER: From VALUE: "attacker" ANALYSIS: - Mail From: - Mail Domain: attacker.com --> resolves to: 11.22.33.44 --> reverse-DNS resolves to: ec2-11-22-33-44.eu-west-3.compute.amazonaws.com (sender's domain: amazonaws.com) - First Hop: SMTP-SERVICE (44.55.66.77) --> resolves to: --> reverse-DNS resolves to: host44-55-66-77.static.arubacloud.pl (first hop's domain: arubacloud.pl) - Domain SPF: "v=spf1 include:_spf.google.com ~all" - WARNING! Potential Domain Impersonation! - Mail's domain should resolve to: amazonaws.com - But instead first hop resolved to: arubacloud.pl ">
PS> py decode-spam-headers.py headers.txt ------------------------------------------ (1) Test: Received - Mail Servers Flow HEADER: Received VALUE: ... ANALYSIS: - List of server hops used to deliver message: --> (1) "attacker" |_> (2) SMTP-SERVICE (44.55.66.77) time: 01 Jan 2021 12:34:20 |_> (3) mail-wr1-f51.google.com (209.85.221.51) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (4) SN1NAM02FT0061.eop-nam02.prod.protection.outlook.com (2603:10b6:806:131:cafe::e5) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (5) SA0PR11CA0138.namprd11.prod.outlook.com (2603:10b6:806:131::23) time: 01 Jan 2021 12:34:20 version: fuzzy match: Exchange Server 2019 CU11; October 12, 2021; 15.2.986.9 |_> (6) CP2PR80MB4114.lamprd80.prod.outlook.com (2603:10d6:102:3c::15) time: 01 Jan 2021 12:34:23 |_> (7) "Victim Surname" ------------------------------------------ [...] ------------------------------------------ (4) Test: Mail Client Version HEADER: X-Mailer VALUE: OEM ANALYSIS: - X-Mailer header was present and contained value: "OEM". ------------------------------------------ (5) Test: X-Forefront-Antispam-Report HEADER: X-Forefront-Antispam-Report VALUE: CIP:209.85.167.100;CTRY:US;LANG:de;SCL:5;SRV:;IPV:NLI;SFV:SPM;H:mail-lf1-f100.google.com;PTR:mail-l f1-f100.google.com;CAT:DIMP;SFTY:9.19;SFS:(4636009)(956004)(166002)(6916009)(356005)(336012)(19 625305002)(22186003)(5660300002)(4744005)(6666004)(35100500006)(82960400001)(26005)(7596003)(7636003)(554460 02)(224303003)(1096003)(58800400005)(86362001)(9686003)(43540500002);DIR:INB;SFTY:9.19; ANALYSIS: - Microsoft Office365/Exchange ForeFront Anti-Spam report - CIP: Connecting IP address: 209.85.167.100 - CTRY: The source country as determined by the connecting IP address - US - LANG: The language in which the message was written - de - IPV: Ingress Peer Verification status - NLI: The IP address was not found on any IP reputation list. - SFV: Message Filtering - SPM: The message was marked as spam by spam filtering. - H: The HELO or EHLO string of the connecting email server. - mail-lf1-f100.google.com - PTR: Reverse DNS of the Connecting IP peer's address - mail-lf1-f100.google.com - CAT: The category of protection policy - DIMP: Domain Impersonation - SFTY: The message was identified as phishing - 9.19: Domain impersonation. The sending domain is attempting to impersonate a protected domain - DIR: Direction of email verification - INB: Inbound email verification - Message matched 24 Anti-Spam rules (SFS): - (1096003) - (166002) - (19625305002) - (22186003) - (224303003) - (26005) - (336012) - (356005) - (35100500006) - (SPAM) Message contained embedded image. - (43540500002) - (4636009) - (4744005) - (55446002) - (5660300002) - (58800400005) - (6666004) - (6916009) - (7596003) - (7636003) - (82960400001) - (86362001) - (956004) - (9686003) - SCL: Spam Confidence Level: 5 - SPAM: Spam filtering marked the message as Spam More information: - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spam-message-headers - https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/antispam-stamps - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/spam-confidence-levels - https://docs.microsoft.com/en-us/exchange/monitoring/trace-an-email-message/run-a-message-trace-and-view-results ------------------------------------------ (6) Test: X-Microsoft-Antispam-Mailbox-Delivery HEADER: X-Microsoft-Antispam-Mailbox-Delivery VALUE: ucf:0;jmr:1;auth:0;dest:J;ENG:(910001)(944506458)(944626604)(750132)(520011016); ANALYSIS: - This header denotes what to do with received message, where to put it. - auth: Message originating from Authenticated sender - 0: Not Authenticated - dest: Destination where message should be placed - J: JUNK directory - Message matched 6 Anti-Spam Delivery rules: - (520011016) - (750132) - (910001) - (944506458) - (944626604) ------------------------------------------ (7) Test: X-Microsoft-Antispam Bulk Mail HEADER: X-Microsoft-Antispam VALUE: BCL:0; ANALYSIS: - BCL: BULK Confidence Level: 0 The message isn't from a bulk sender. More information: - https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/bulk-complaint-level-values ------------------------------------------ [...] ------------------------------------------ (10) Test: MS Defender ATP Message Properties HEADER: X-MS-Exchange-AtpMessageProperties VALUE: SA|SL ANALYSIS: - MS Defender Advanced Threat Protection enabled following protections on this message: - Safe Attachments Protection - Safe Links Protection ------------------------------------------ (11) Test: Domain Impersonation HEADER: From VALUE: "attacker" ANALYSIS: - Mail From: - Mail Domain: attacker.com --> resolves to: 11.22.33.44 --> reverse-DNS resolves to: ec2-11-22-33-44.eu-west-3.compute.amazonaws.com (sender's domain: amazonaws.com) - First Hop: SMTP-SERVICE (44.55.66.77) --> resolves to: --> reverse-DNS resolves to: host44-55-66-77.static.arubacloud.pl (first hop's domain: arubacloud.pl) - Domain SPF: "v=spf1 include:_spf.google.com ~all" - WARNING! Potential Domain Impersonation! - Mail's domain should resolve to: amazonaws.com - But instead first hop resolved to: arubacloud.pl

☕ Show Support ☕

This and other projects are outcome of sleepless nights and plenty of hard work. If you like what I do and appreciate that I always give back to the community, Consider buying me a coffee (or better a beer) just to say thank you! 💪

Mariusz Banach / mgeeky, (@mariuszbit)

Hello,

It seems the analysis of mail server flow doesn't like when FQDN are written in an uppercase style.

Here is an example of a problematic run with --debug parameter (FQDN's and other domains was changed for anonymity reasons):

./decode-spam-headers.py /tmp/headers --debug [INFO] Analysing: /tmp/headers [DEBUG] Extracted 0. Received [DEBUG] Extracted 1. Received [DEBUG] Extracted 2. Received [DEBUG] Extracted 3. Authentication-Results [DEBUG] Extracted 4. Received-SPF [DEBUG] Extracted 5. Received [DEBUG] Extracted 6. Received [DEBUG] Extracted 7. DKIM-Signature [DEBUG] Extracted 8. To [DEBUG] Extracted 9. Subject [DEBUG] Extracted 10. Date [DEBUG] Extracted 11. From [DEBUG] Extracted 12. Message-ID [DEBUG] Extracted 13. X-Mailer [DEBUG] Extracted 14. MIME-Version [DEBUG] Extracted 15. Content-Type [DEBUG] Extracted 16. Content-Transfer-Encoding [DEBUG] Extracted 17. Return-Path [DEBUG] Extracted 18. X-MS-Exchange-Organization-ExpirationStartTime [DEBUG] Extracted 19. X-MS-Exchange-Organization-ExpirationStartTimeReason [DEBUG] Extracted 20. X-MS-Exchange-Organization-ExpirationInterval [DEBUG] Extracted 21. X-MS-Exchange-Organization-ExpirationIntervalReason [DEBUG] Extracted 22. X-MS-Exchange-Organization-Network-Message-Id [DEBUG] Extracted 23. X-EOPAttributedMessage [DEBUG] Extracted 24. X-EOPTenantAttributedMessage [DEBUG] Extracted 25. X-MS-Exchange-Organization-MessageDirectionality [DEBUG] Extracted 26. X-MS-PublicTrafficType [DEBUG] Extracted 27. X-MS-Exchange-Organization-AuthSource [DEBUG] Extracted 28. X-MS-Exchange-Organization-AuthAs [DEBUG] Extracted 29. X-MS-Office365-Filtering-Correlation-Id [DEBUG] Extracted 30. X-MS-TrafficTypeDiagnostic [DEBUG] Extracted 31. X-MS-Oob-TLC-OOBClassifiers [DEBUG] Extracted 32. X-MS-Exchange-Organization-SCL [DEBUG] Extracted 33. X-Forefront-Antispam-Report [DEBUG] Extracted 34. X-Microsoft-Antispam [DEBUG] Extracted 35. X-MS-Exchange-CrossTenant-OriginalArrivalTime [DEBUG] Extracted 36. X-MS-Exchange-CrossTenant-Network-Message-Id [DEBUG] Extracted 37. X-MS-Exchange-CrossTenant-Id [DEBUG] Extracted 38. X-MS-Exchange-CrossTenant-AuthSource [DEBUG] Extracted 39. X-MS-Exchange-CrossTenant-AuthAs [DEBUG] Extracted 40. X-MS-Exchange-CrossTenant-FromEntityHeader [DEBUG] Extracted 41. X-MS-Exchange-Transport-CrossTenantHeadersStamped [DEBUG] Extracted 42. X-MS-Exchange-Transport-EndToEndLatency [DEBUG] Extracted 43. X-MS-Exchange-Processed-By-BccFoldering [DEBUG] Extracted 44. X-Microsoft-Antispam-Mailbox-Delivery [DEBUG] Extracted 45. X-Microsoft-Antispam-Message-Info [INFO] Analysing 46 headers... [DEBUG] Running test 1: "Received - Mail Servers Flow"... [DEBUG] gethostbyaddr("1.2.3.4")... [DEBUG] Cached gethostbyaddr("1.2.3.4") = "www.myhost.fr" [DEBUG] gethostbyname("myhost.fr")... [DEBUG] Cached gethostbyname("myhost.fr") = "1.2.3.4" [DEBUG] Parsed Received header: { "host": "www.myhost.fr", "host2": "www.myhost.fr", "ip": "1.2.3.4", "timestamp": "2021-11-08 18:12:31+00:00", "ver": "15.20.4669.10", "with": "Microsoft SMTP Server", "extra": [ "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 2, "parsed": { "from": "www.myhost.fr (1.2.3.4)", "by": "MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.10", "via": "Frontend Transport" }, "_raw": "from www.myhost.fr (1.2.3.4) by MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10 via Frontend Transport; Mon, 8 Nov 2021 18:12:31 +0000", "by": "MR2FRA01FT016.mail.protection.outlook.com", "id": "15.20.4669.10", "via": "Frontend Transport" } [DEBUG] gethostbyname("outlook.com")... [DEBUG] Cached gethostbyname("outlook.com") = "40.97.164.146" [DEBUG] Parsed Received header: { "host": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com", "host2": "2603:10a6:20b:46d:cafe::14", "ip": "", "timestamp": "2021-11-08 18:12:32+00:00", "ver": "15.20.4669.11", "with": "Microsoft SMTP Server", "extra": [ "2603:10a6:20b:46d::21", "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 3, "parsed": { "from": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14)", "by": "AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.11", "via": "Frontend Transport" }, "_raw": "from MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14) by AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Mon, 8 Nov 2021 18:12:32 +0000", "by": "AS9P194CA0007.outlook.office365.com", "id": "15.20.4669.11", "via": "Frontend Transport" } [DEBUG] gethostbyname("MR2FRA01FT016.eop-fra01.prod.protection.outlook.com")... [DEBUG] Returning cached gethostbyname entry for: "OUTLOOK.COM" [ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM' . Use --debug to show entire stack trace. Traceback (most recent call last): File "./decode-spam-headers.py", line 6323, in <module> main(sys.argv) File "./decode-spam-headers.py", line 6303, in main out = an.parse(text) File "./decode-spam-headers.py", line 2021, in parse self.results[testName] = testFunc() File "./decode-spam-headers.py", line 4751, in testReceived obj = self.parseReceived(r, numReceived) File "./decode-spam-headers.py", line 4681, in parseReceived res = SMTPHeadersAnalysis.gethostbyname(f'{tldextracted.domain}.{tldextracted.suffix}') File "./decode-spam-headers.py", line 1821, in gethostbyname return SMTPHeadersAnalysis.resolved[name] KeyError: 'OUTLOOK.COM'

'utf-8' codec can't decode byte 0x8e

I got following error when try to run with --decode-all option

←[38m[ERROR] ←[0m←[31mTest 29: "X-IronPort-Anti-Spam-Result" failed: 'utf-8' codec can't decode byte 0x8e in position 5: invalid start byte . Use --debug to show entire stack trace.←[0m ←[38m[ERROR] ←[0m←[31mTest 88: "IronPort-Data" failed: 'utf-8' codec can't decode byte 0xde in position 3: invalid continuation byte . Use --debug to show entire stack trace.←[0m ←[38m[ERROR] ←[0m←[31mTest 89: "IronPort-HdrOrder" failed: Invalid base64-encoded string: number of data characters (369) cannot be 1 more than a multiple of 4 . Use --debug to show entire stack trace.←[0m

opened by Nanparam 9
Test 17: "Domain Impersonation" failed: 'NoneType' object has no attribute 'group' . Use --debug to show entire stack trace.

HI, first the tool is really very very useful. But every time i run this script, it have an error on the top line. "[ERROR] Test 17: "Domain Impersonation" failed: 'NoneType' object has no attribute 'group' . Use --debug to show entire stack trace."

maybe the test17 have some trouble.

by the way, thanks for your contribution. Is there some advance tools that can resolve the MS outlook anti-spam header? I want to know why my email judge into junk folder. could you please provide some useful information to deal with it?

opened by poiu1235 6
Cloudmark Authority X-CNFS-Analysis / X-CMAE-Envelope header
In the not accepted by Gmail mail mentioned in #4, I also notice a X-CNFS-Analysis header. Which is apparently something spam filter related by Cloudmark Authority for at least the past 15 years ref.

Syntax are something like:

X-CNFS-Analysis: v=2.4 cv=<hash> c=1 sm=1 tr=0 ts=622096d8 cx=a_exe a= <base64>:117 a=<base64>:17 a=<hash>:10 a=<hash>:9 a=<hash>:10 a=<hash>:10 X-CMAE-Envelope: <base64>

CMAE = CloudMark Authority Engine
enhancement
opened by HenkPoley 5
X-Authenticated-Sender header
The X-Authenticated-Sender header might be interesting to display. It's syntax is like:

X-Authenticated-Sender: [email protected]

It appears to show the 'real' sender (mailserver account of sender) if the From: address is overridden to something else in the senders mail client.

This ticket used to read something different. In the end it was a customer who tried to send mail as us, from his ISP mailserver. Which is understandably blocked by Gmail. Sorry for the confusion. The header is still interesting.
enhancement
opened by HenkPoley 5
[ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM'

Hello,

It seems the analysis of mail server flow doesn't like when FQDN are written in an uppercase style.

Here is an example of a problematic run with --debug parameter (FQDN's and other domains was changed for anonymity reasons):

./decode-spam-headers.py /tmp/headers --debug [INFO] Analysing: /tmp/headers [DEBUG] Extracted 0. Received [DEBUG] Extracted 1. Received [DEBUG] Extracted 2. Received [DEBUG] Extracted 3. Authentication-Results [DEBUG] Extracted 4. Received-SPF [DEBUG] Extracted 5. Received [DEBUG] Extracted 6. Received [DEBUG] Extracted 7. DKIM-Signature [DEBUG] Extracted 8. To [DEBUG] Extracted 9. Subject [DEBUG] Extracted 10. Date [DEBUG] Extracted 11. From [DEBUG] Extracted 12. Message-ID [DEBUG] Extracted 13. X-Mailer [DEBUG] Extracted 14. MIME-Version [DEBUG] Extracted 15. Content-Type [DEBUG] Extracted 16. Content-Transfer-Encoding [DEBUG] Extracted 17. Return-Path [DEBUG] Extracted 18. X-MS-Exchange-Organization-ExpirationStartTime [DEBUG] Extracted 19. X-MS-Exchange-Organization-ExpirationStartTimeReason [DEBUG] Extracted 20. X-MS-Exchange-Organization-ExpirationInterval [DEBUG] Extracted 21. X-MS-Exchange-Organization-ExpirationIntervalReason [DEBUG] Extracted 22. X-MS-Exchange-Organization-Network-Message-Id [DEBUG] Extracted 23. X-EOPAttributedMessage [DEBUG] Extracted 24. X-EOPTenantAttributedMessage [DEBUG] Extracted 25. X-MS-Exchange-Organization-MessageDirectionality [DEBUG] Extracted 26. X-MS-PublicTrafficType [DEBUG] Extracted 27. X-MS-Exchange-Organization-AuthSource [DEBUG] Extracted 28. X-MS-Exchange-Organization-AuthAs [DEBUG] Extracted 29. X-MS-Office365-Filtering-Correlation-Id [DEBUG] Extracted 30. X-MS-TrafficTypeDiagnostic [DEBUG] Extracted 31. X-MS-Oob-TLC-OOBClassifiers [DEBUG] Extracted 32. X-MS-Exchange-Organization-SCL [DEBUG] Extracted 33. X-Forefront-Antispam-Report [DEBUG] Extracted 34. X-Microsoft-Antispam [DEBUG] Extracted 35. X-MS-Exchange-CrossTenant-OriginalArrivalTime [DEBUG] Extracted 36. X-MS-Exchange-CrossTenant-Network-Message-Id [DEBUG] Extracted 37. X-MS-Exchange-CrossTenant-Id [DEBUG] Extracted 38. X-MS-Exchange-CrossTenant-AuthSource [DEBUG] Extracted 39. X-MS-Exchange-CrossTenant-AuthAs [DEBUG] Extracted 40. X-MS-Exchange-CrossTenant-FromEntityHeader [DEBUG] Extracted 41. X-MS-Exchange-Transport-CrossTenantHeadersStamped [DEBUG] Extracted 42. X-MS-Exchange-Transport-EndToEndLatency [DEBUG] Extracted 43. X-MS-Exchange-Processed-By-BccFoldering [DEBUG] Extracted 44. X-Microsoft-Antispam-Mailbox-Delivery [DEBUG] Extracted 45. X-Microsoft-Antispam-Message-Info [INFO] Analysing 46 headers... [DEBUG] Running test 1: "Received - Mail Servers Flow"... [DEBUG] gethostbyaddr("1.2.3.4")... [DEBUG] Cached gethostbyaddr("1.2.3.4") = "www.myhost.fr" [DEBUG] gethostbyname("myhost.fr")... [DEBUG] Cached gethostbyname("myhost.fr") = "1.2.3.4" [DEBUG] Parsed Received header: { "host": "www.myhost.fr", "host2": "www.myhost.fr", "ip": "1.2.3.4", "timestamp": "2021-11-08 18:12:31+00:00", "ver": "15.20.4669.10", "with": "Microsoft SMTP Server", "extra": [ "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 2, "parsed": { "from": "www.myhost.fr (1.2.3.4)", "by": "MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.10", "via": "Frontend Transport" }, "_raw": "from www.myhost.fr (1.2.3.4) by MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10 via Frontend Transport; Mon, 8 Nov 2021 18:12:31 +0000", "by": "MR2FRA01FT016.mail.protection.outlook.com", "id": "15.20.4669.10", "via": "Frontend Transport" } [DEBUG] gethostbyname("outlook.com")... [DEBUG] Cached gethostbyname("outlook.com") = "40.97.164.146" [DEBUG] Parsed Received header: { "host": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com", "host2": "2603:10a6:20b:46d:cafe::14", "ip": "", "timestamp": "2021-11-08 18:12:32+00:00", "ver": "15.20.4669.11", "with": "Microsoft SMTP Server", "extra": [ "2603:10a6:20b:46d::21", "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 3, "parsed": { "from": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14)", "by": "AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.11", "via": "Frontend Transport" }, "_raw": "from MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14) by AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Mon, 8 Nov 2021 18:12:32 +0000", "by": "AS9P194CA0007.outlook.office365.com", "id": "15.20.4669.11", "via": "Frontend Transport" } [DEBUG] gethostbyname("MR2FRA01FT016.eop-fra01.prod.protection.outlook.com")... [DEBUG] Returning cached gethostbyname entry for: "OUTLOOK.COM" [ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM' . Use --debug to show entire stack trace. Traceback (most recent call last): File "./decode-spam-headers.py", line 6323, in <module> main(sys.argv) File "./decode-spam-headers.py", line 6303, in main out = an.parse(text) File "./decode-spam-headers.py", line 2021, in parse self.results[testName] = testFunc() File "./decode-spam-headers.py", line 4751, in testReceived obj = self.parseReceived(r, numReceived) File "./decode-spam-headers.py", line 4681, in parseReceived res = SMTPHeadersAnalysis.gethostbyname(f'{tldextracted.domain}.{tldextracted.suffix}') File "./decode-spam-headers.py", line 1821, in gethostbyname return SMTPHeadersAnalysis.resolved[name] KeyError: 'OUTLOOK.COM'

opened by scoudeville 3
Erroneous identification of mail address in test 18 (Identified Sender Addresses)
Hello, during the headers analisys of the sender addresses, the script recognize as different the addresses in the From and Return-Path if, in the From headers, the address is specified in the form "Description" [email protected]

In my case, in example, I have this headers:

To: [email protected] From: Luigi Bianchi <[email protected]> Subject: Test Return-Path: [email protected]

The mail sender is the same address, only written in 2 different ways, but both allowed (cfr. RFC5322 - § 3.4), but the script recognize them as different address and issues a spoofing warning.

----------------------------------------- (18) Test: Identified Sender Addresses HEADER: - Return-Path - From DESCRIPTION: Sender's address was found in 2 different SMTP headers. VALUE: - [email protected] - [email protected] ANALYSIS: - Identified sender addresses (2): - Return-Path : [email protected] - From : [email protected] - WARNING! Not all sender addresses match each other - potential Mail Spoofing! - See here for more info: https://blog.shiraj.com/2020/05/email-spoofing/

There is a sanitizing of the address before comparison, but it is uncorrect. The address to be extracted, if there are angle brackets, should be only that inside the brackets, ignoring the description.
opened by nlarenti 2

A python script that helps you understand why your E-Mail ended up in Spam

Related tags

Overview

decode-spam-headers.py

Info

Example Screenshots

Processed headers

Reverse-Engineering efforts

Usage

Sample run

☕ Show Support ☕

Comments

'utf-8' codec can't decode byte 0x8e

Test 17: "Domain Impersonation" failed: 'NoneType' object has no attribute 'group' . Use --debug to show entire stack trace.

Cloudmark Authority X-CNFS-Analysis / X-CMAE-Envelope header

X-Authenticated-Sender header

[ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM'

Erroneous identification of mail address in test 18 (Identified Sender Addresses)

Owner

Mariusz Banach

This simple python script uses cv2 to create and mail certificates to participants of workshops.

You take an email and password from the combo list file and check it on mail.com

ghotok mail - lets you find available contact email addresses from target website

This is a bot that interacts with you over voice and sends mail.Uses speech_recognition,pyttsx3 and smtplib

Spam-bot - Simple email-spammer discord bot

A Python Mail Server

A light-weight, modular, message representation and mail delivery framework for Python.

A Discord Mod Mail bot made in python

Yahoo Mail Validator For Python

Send Multiple Mail From List With Python

Mail hosting made simple

Fastapi mail system sending mails(individual, bulk) attachments(individual, bulk)

A Pythonic interface for Google Mail

SMTP checker to check Mail Access via SMTP

Django module to easily send templated emails using django templates, or using a transactional mail provider (mailchimp, silverpop, etc.)

spam_box is a self hosted temp mail service by hacksec

📧 CLI to deduplicate mails from mail boxes.

GMailBomber is a form of Internet abuse which is perpetrated through the sending of massive volumes of email to a specific email address with the goal of overflowing the mailbox and overwhelming the mail server hosting the address, making it into some form of denial of service attack.

Automatically Send Custom Named Certificates via Mail