mgeeky / decode-spam-headers Goto Github PK

A script that helps you understand why your E-Mail ended up in Spam

License: MIT License

Python 100.00%

decode-spam-headers's Introduction

mgeeky's code lair

Hi! I'm Mariusz, an Offensive Security afficionado. Been solving IT Security problems from both defensive and offensive sides of the barricade for more than 14 years by now out of which eight profesionally. I was always more attracted to sharing knowledge through my code, tools, scripts, exploits rather than writing blog posts. With that on the table, this Github account acts as my legacy. 😄

🎓 My area of expertise is Windows & Networks security assessments. Started as a Malware Analyst, pushed my career through all sorts of technical roles & challenges to land myself in Red Team operator's shoes evaluating holistically my Customer's cyber-defensive programmes.

I'm a holder of following cybersecurity/IT certificates: CARTP, CRTE, CRTP, eCPTX, CCNA, CREST CRT, OSCP, OSCE, OSWP .

⚡ Welcome to my Github lair where you'll find all sorts of security-related tools of hopefully decent quality.

❤️ If you ever benefited from my projects, tools, scripts, pull requests - if you ever saw my work helpful to others, it would be really awesome if you could consider supporting these efforts through my Github Sponsors page. You'll receive an exclusive access to my private repositories containing a few other high quality tools and utilities greatly improving Red Teams delivery. Show some love and support - consider buying me a coffee or better a beer - as a way of saying thank you! 💪

Cheers!

decode-spam-headers's People

Contributors

Stargazers

Watchers

Forkers

scriptidiot douglasmun phihsh topotam mhaskar tlandn avrumfeldman boudy87 silocityit 3lawlaw uionto bsrch3rif07 forbiddenprogrammer zer0lightning coopernj3 graciusalfarisi kacperb tomkallo pranshubasak pentest01 pawpatrolryder digitalarche cvlabsio elon-sarif dcpopescu insi2304 elchappo skyn9ne rubicondimitri yeah9782 benzhouid cybersecurity-labs humble-desser nx6110a5100 ansfidine cr0kz theogaltruist noblevarghese 4ykhan creighto aselvan 5l1v3r1 tu74nkamon aels tuantmb nicoschtein markterlep defendasolutions lovidad lwillek karmaz95 unclenull hellishpn baydakovss tnvo bexpleasance diagraphics kraken8585 pog007 philipphutterer sulaimanzai prplecake adamjlow jandemx hanssens wovic84 chriss-0x01 samy4samy leonzeb robertdan georgezopy

decode-spam-headers's Issues

AssertionError: Output colors mismatch - could not find end of color marker!

I get this error when running the script for the first time. Latest Python3 3.11 and have all requirement.txt dependencies installed.

Script ran:
py .\decode-spam-headers.py EmailHeaders\headers.txt -f html -o headersreport.html
Traceback (most recent call last):
File "C:\Python\decode-spam-headers-main\decode-spam-headers.py", line 6921, in
main(sys.argv)
File "C:\Python\decode-spam-headers-main\decode-spam-headers.py", line 6904, in main
output = colorizeOutput(printed, text)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Python\decode-spam-headers-main\decode-spam-headers.py", line 6819, in colorizeOutput
out = Logger.htmlColors(out)
^^^^^^^^^^^^^^^^^^^^^^
File "C:\Python\decode-spam-headers-main\decode-spam-headers.py", line 307, in htmlColors
return Logger.replaceColors(s, get_col)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "C:\Python\decode-spam-headers-main\decode-spam-headers.py", line 267, in replaceColors
assert pos2 != -1, "Output colors mismatch - could not find end of color marker!"
^^^^^^^^^^
AssertionError: Output colors mismatch - could not find end of color marker!

[ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM'

Hello,

It seems the analysis of mail server flow doesn't like when FQDN are written in an uppercase style.

Here is an example of a problematic run with --debug parameter (FQDN's and other domains was changed for anonymity reasons):

./decode-spam-headers.py /tmp/headers --debug [INFO] Analysing: /tmp/headers [DEBUG] Extracted 0. Received [DEBUG] Extracted 1. Received [DEBUG] Extracted 2. Received [DEBUG] Extracted 3. Authentication-Results [DEBUG] Extracted 4. Received-SPF [DEBUG] Extracted 5. Received [DEBUG] Extracted 6. Received [DEBUG] Extracted 7. DKIM-Signature [DEBUG] Extracted 8. To [DEBUG] Extracted 9. Subject [DEBUG] Extracted 10. Date [DEBUG] Extracted 11. From [DEBUG] Extracted 12. Message-ID [DEBUG] Extracted 13. X-Mailer [DEBUG] Extracted 14. MIME-Version [DEBUG] Extracted 15. Content-Type [DEBUG] Extracted 16. Content-Transfer-Encoding [DEBUG] Extracted 17. Return-Path [DEBUG] Extracted 18. X-MS-Exchange-Organization-ExpirationStartTime [DEBUG] Extracted 19. X-MS-Exchange-Organization-ExpirationStartTimeReason [DEBUG] Extracted 20. X-MS-Exchange-Organization-ExpirationInterval [DEBUG] Extracted 21. X-MS-Exchange-Organization-ExpirationIntervalReason [DEBUG] Extracted 22. X-MS-Exchange-Organization-Network-Message-Id [DEBUG] Extracted 23. X-EOPAttributedMessage [DEBUG] Extracted 24. X-EOPTenantAttributedMessage [DEBUG] Extracted 25. X-MS-Exchange-Organization-MessageDirectionality [DEBUG] Extracted 26. X-MS-PublicTrafficType [DEBUG] Extracted 27. X-MS-Exchange-Organization-AuthSource [DEBUG] Extracted 28. X-MS-Exchange-Organization-AuthAs [DEBUG] Extracted 29. X-MS-Office365-Filtering-Correlation-Id [DEBUG] Extracted 30. X-MS-TrafficTypeDiagnostic [DEBUG] Extracted 31. X-MS-Oob-TLC-OOBClassifiers [DEBUG] Extracted 32. X-MS-Exchange-Organization-SCL [DEBUG] Extracted 33. X-Forefront-Antispam-Report [DEBUG] Extracted 34. X-Microsoft-Antispam [DEBUG] Extracted 35. X-MS-Exchange-CrossTenant-OriginalArrivalTime [DEBUG] Extracted 36. X-MS-Exchange-CrossTenant-Network-Message-Id [DEBUG] Extracted 37. X-MS-Exchange-CrossTenant-Id [DEBUG] Extracted 38. X-MS-Exchange-CrossTenant-AuthSource [DEBUG] Extracted 39. X-MS-Exchange-CrossTenant-AuthAs [DEBUG] Extracted 40. X-MS-Exchange-CrossTenant-FromEntityHeader [DEBUG] Extracted 41. X-MS-Exchange-Transport-CrossTenantHeadersStamped [DEBUG] Extracted 42. X-MS-Exchange-Transport-EndToEndLatency [DEBUG] Extracted 43. X-MS-Exchange-Processed-By-BccFoldering [DEBUG] Extracted 44. X-Microsoft-Antispam-Mailbox-Delivery [DEBUG] Extracted 45. X-Microsoft-Antispam-Message-Info [INFO] Analysing 46 headers... [DEBUG] Running test 1: "Received - Mail Servers Flow"... [DEBUG] gethostbyaddr("1.2.3.4")... [DEBUG] Cached gethostbyaddr("1.2.3.4") = "www.myhost.fr" [DEBUG] gethostbyname("myhost.fr")... [DEBUG] Cached gethostbyname("myhost.fr") = "1.2.3.4" [DEBUG] Parsed Received header: { "host": "www.myhost.fr", "host2": "www.myhost.fr", "ip": "1.2.3.4", "timestamp": "2021-11-08 18:12:31+00:00", "ver": "15.20.4669.10", "with": "Microsoft SMTP Server", "extra": [ "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 2, "parsed": { "from": "www.myhost.fr (1.2.3.4)", "by": "MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.10", "via": "Frontend Transport" }, "_raw": "from www.myhost.fr (1.2.3.4) by MR2FRA01FT016.mail.protection.outlook.com (10.152.50.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.10 via Frontend Transport; Mon, 8 Nov 2021 18:12:31 +0000", "by": "MR2FRA01FT016.mail.protection.outlook.com", "id": "15.20.4669.10", "via": "Frontend Transport" } [DEBUG] gethostbyname("outlook.com")... [DEBUG] Cached gethostbyname("outlook.com") = "40.97.164.146" [DEBUG] Parsed Received header: { "host": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com", "host2": "2603:10a6:20b:46d:cafe::14", "ip": "", "timestamp": "2021-11-08 18:12:32+00:00", "ver": "15.20.4669.11", "with": "Microsoft SMTP Server", "extra": [ "2603:10a6:20b:46d::21", "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" ], "num": 3, "parsed": { "from": "MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14)", "by": "AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21)", "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)", "id": "15.20.4669.11", "via": "Frontend Transport" }, "_raw": "from MR2FRA01FT016.eop-fra01.prod.protection.outlook.com (2603:10a6:20b:46d:cafe::14) by AS9P194CA0007.outlook.office365.com (2603:10a6:20b:46d::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4669.11 via Frontend Transport; Mon, 8 Nov 2021 18:12:32 +0000", "by": "AS9P194CA0007.outlook.office365.com", "id": "15.20.4669.11", "via": "Frontend Transport" } [DEBUG] gethostbyname("MR2FRA01FT016.eop-fra01.prod.protection.outlook.com")... [DEBUG] Returning cached gethostbyname entry for: "OUTLOOK.COM" [ERROR] Test 1: "Received - Mail Servers Flow" failed: 'OUTLOOK.COM' . Use --debug to show entire stack trace. Traceback (most recent call last): File "./decode-spam-headers.py", line 6323, in <module> main(sys.argv) File "./decode-spam-headers.py", line 6303, in main out = an.parse(text) File "./decode-spam-headers.py", line 2021, in parse self.results[testName] = testFunc() File "./decode-spam-headers.py", line 4751, in testReceived obj = self.parseReceived(r, numReceived) File "./decode-spam-headers.py", line 4681, in parseReceived res = SMTPHeadersAnalysis.gethostbyname(f'{tldextracted.domain}.{tldextracted.suffix}') File "./decode-spam-headers.py", line 1821, in gethostbyname return SMTPHeadersAnalysis.resolved[name] KeyError: 'OUTLOOK.COM'

Test 17: "Domain Impersonation" failed: 'NoneType' object has no attribute 'group' . Use --debug to show entire stack trace.

HI, first the tool is really very very useful.
But every time i run this script, it have an error on the top line.
"[ERROR] Test 17: "Domain Impersonation" failed: 'NoneType' object has no attribute 'group' . Use --debug to show entire stack trace."

maybe the test17 have some trouble.

by the way, thanks for your contribution.
Is there some advance tools that can resolve the MS outlook anti-spam header?
I want to know why my email judge into junk folder.
could you please provide some useful information to deal with it?

Received - Mail Servers Flow" failed: Invalid version: 'F07EBDD638

After working through a long series of headers in an email manually today I came across this project, and ran it on them (attached) to see what it would find. However I ran into an error and a couple issues:

Sample-Headers.txt

It reported an error for an internal hostname along the route:

    "host": "89b23fcea35b",
    "host2": "ddclpnotapi03",
    "ip": "10.53.192.180",
    "timestamp": "2023-02-02 23:08:32+00:00",
    "ver": "F07EBDD638",
    "with": "ESMTP",
    "extra": [
        "Postfix",
        "Hostname exposed: 89b23fcea35b"
    ],
    "num": 1,
    "parsed": {
        "from": "89b23fcea35b (ddclpnotapi03 [10.53.192.180])",
        "by": "notification.payments.interac.ca (Postfix)",
        "with": "ESMTP",
        "id": "F07EBDD638",
        "for": "<[email protected]>"
    },
    "_raw": "from 89b23fcea35b (ddclpnotapi03 [10.53.192.180]) by notification.payments.interac.ca (Postfix) with ESMTP
id F07EBDD638 for <[email protected]>; Thu,  2 Feb 2023 18:08:32 -0500 (EST)",
    "by": "notification.payments.interac.ca",
    "id": "F07EBDD638"
} -->
[ERROR] Test 1: "Received - Mail Servers Flow" failed: Invalid version: 'F07EBDD638' . Use --debug to show entire stack
trace.

I don't know if anything was excluded from the output report due to this.

Not fatal, but it identified as domains items in headers that aren't:

    - Found Domain:   15.20.6064.24
    - Found Domain:   6.0.562
    - Found Domain:   2.0.219
    - Found Domain:   _Part_16536292_807372936.1675379312980
    - Found Domain:   36.9663
    - Found Domain:   8.12
    - Found Domain:   15.1.2507.17
    - Found Domain:   17.11.122
    - Found Domain:   15.01.2507.017
    - Found Domain:   00.3940871
    - Found Domain:   15.20.6064.27
    - Found Domain:   15.20.6064.25
    - Found Domain:   18.0.930

Not a big deal, but it added an unbalanced </font> tag for other found domains:

    - Found Domain:   MN2PR15CA0012.outlook.office365</font>.com
    - Found Domain:   microsoft</font>.com
    - Found Domain:   acxsys.onmicrosoft</font>.com
    - Found Domain:   YT2PR01CA0021.outlook.office365</font>.com
    - Found Domain:   mx.microsoft</font>.com

But even with these issues the analysis of the spam headers completed and was useful. Thanks.

Cloudmark Authority X-CNFS-Analysis / X-CMAE-Envelope header

In the not accepted by Gmail mail mentioned in #4, I also notice a X-CNFS-Analysis header. Which is apparently something spam filter related by Cloudmark Authority for at least the past 15 years ref.

Syntax are something like:

X-CNFS-Analysis: v=2.4 cv=<hash> c=1 sm=1 tr=0 ts=622096d8 cx=a_exe
 a= <base64>:117 a=<base64>:17
 a=<hash>:10 a=<hash>:9 a=<hash>:10 a=<hash>:10
X-CMAE-Envelope: <base64>

CMAE = CloudMark Authority Engine

"Received - Mail Servers Flow" failed: Unknown string format

script does not support string in non english

[ERROR] Test 1: "Received - Mail Servers Flow" failed: Unknown string format: mer, 13 déc 2023 19:59:10 -0500 . Use --debug to show entire stack trace.

Email intelligence detects keywords in base64

According to the report:

(18) Test: Email Providers Infrastructure Clues

ANALYSIS:

- Mail contents analysis shown that this e-mail passed through the following third-party Mail providers:

	- Dyn - url: https://dyn.com/
	- Emma - url: https://myemma.com/

This sounded odd to me because I do not recognize these services, when looking through the mail data myself I did not see these domains, when looking at the code it simple does a lowercase compare:

decode-spam-headers/decode-spam-headers.py

Line 2482 in 0489be1

    
           if re.search(r'd=e2ma\.net;', value, re.I|re.S) or "Emma".lower() in value.lower():

decode-spam-headers/decode-spam-headers.py

Line 2470 in 0489be1

    
           if re.search(r'^X-DynectEmail-Msg-(Key|Hash):', value, re.I|re.S) or "Dyn".lower() in value.lower():

There's quite a big chance that these (and other) keywords appear somewhere in base64. which gives false positives quite easily. Maybe it would be good to only look for these keywords in a word boundary matter?

'utf-8' codec can't decode byte 0x8e

I got following error when try to run with --decode-all option

←[38m[ERROR] ←[0m←[31mTest 29: "X-IronPort-Anti-Spam-Result" failed: 'utf-8' codec can't decode byte 0x8e in position 5: invalid start byte . Use --debug to show entire stack trace.←[0m
←[38m[ERROR] ←[0m←[31mTest 88: "IronPort-Data" failed: 'utf-8' codec can't decode byte 0xde in position 3: invalid continuation byte . Use --debug to show entire stack trace.←[0m
←[38m[ERROR] ←[0m←[31mTest 89: "IronPort-HdrOrder" failed: Invalid base64-encoded string: number of data characters (369) cannot be 1 more than a multiple of 4 . Use --debug to show entire stack trace.←[0m

Date in `Received` identified as IP address

Received: from EUR04-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur04on062e.outbound.protection.outlook.com.
 [2a01:111:f400:fe0e::62e]) by mx.google.com with ESMTPS id
 qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20
 for <[email protected]> (version=TLS1_2
 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2023 06:48:20
 -0800 (PST)

Result:

ANALYSIS:

(01) Header: Received  contained an IP address:
	     Value    :    2023.12.14.06.48.20

I don't know if the following stack traces can be relevant:


[DEBUG] Parsed Received header:
{
    "host": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "host2": "[fe80::6f8b:f9b3:eaa:ea3e]",
    "ip": "",
    "timestamp": "2023-12-14 14:48:16+00:00",
    "ver": "15.20.7091.028",
    "with": "mapi",
    "extra": [
        "[fe80::6f8b:f9b3:eaa:ea3e%4]"
    ],
    "num": 1,
    "parsed": {
        "from": "DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e])",
        "by": "DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e%4])",
        "with": "mapi",
        "id": "15.20.7091.028"
    },
    "_raw": "from DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e]) by DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e%4]) with mapi id 15.20.7091.028; Thu, 14 Dec 2023 14:48:16 +0000",
    "by": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "id": "15.20.7091.028"
}
[DEBUG] gethostbyname("dbbpr03mb6762.eurprd03.prod.outlook.com")...
[DEBUG] Returning cached gethostbyname entry for: "outlook.com"
[DEBUG] Parsed Received header:
{
    "host": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "host2": "2603:10a6:10:20b::21",
    "ip": "",
    "timestamp": "2023-12-14 14:48:16+00:00",
    "ver": "15.20.7091.28",
    "with": "Microsoft SMTP Server",
    "extra": [
        "2603:10a6:20b:1c2::6",
        "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    ],
    "num": 2,
    "parsed": {
        "from": "DBBPR03MB6762.eurprd03.prod.outlook.com (2603:10a6:10:20b::21)",
        "by": "AM7PR03MB6531.eurprd03.prod.outlook.com (2603:10a6:20b:1c2::6)",
        "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)",
        "id": "15.20.7091.28"
    },
    "_raw": "from DBBPR03MB6762.eurprd03.prod.outlook.com (2603:10a6:10:20b::21) by AM7PR03MB6531.eurprd03.prod.outlook.com (2603:10a6:20b:1c2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.28; Thu, 14 Dec 2023 14:48:16 +0000",
    "by": "AM7PR03MB6531.eurprd03.prod.outlook.com",
    "id": "15.20.7091.28"
}
[DEBUG] gethostbyname("dbbpr03mb6762.eurprd03.prod.outlook.com")...
[DEBUG] Returning cached gethostbyname entry for: "outlook.com"
[DEBUG] Parsed Received header:
{
    "host": "EUR04-VI1-obe.outbound.protection.outlook.com",
    "host2": "mail-vi1eur04on062e.outbound.protection.outlook.com",
    "ip": "2a01:111:f400:fe0e::62e",
    "timestamp": "2023-12-14 14:48:20+00:00",
    "ver": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20",
    "with": "ESMTPS",
    "extra": [
        "version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128"
    ],
    "num": 3,
    "parsed": {
        "from": "EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on062e.outbound.protection.outlook.com. [2a01:111:f400:fe0e::62e])",
        "by": "mx.google.com",
        "with": "ESMTPS",
        "id": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20",
        "for": "<[email protected]> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128)"
    },
    "_raw": "from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on062e.outbound.protection.outlook.com. [2a01:111:f400:fe0e::62e]) by mx.google.com with ESMTPS id qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20 for <[email protected]> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2023 06:48:20 -0800 (PST)",
    "by": "mx.google.com",
    "id": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20"
}
[ERROR] Test 1: "Received - Mail Servers Flow" failed: Invalid version: 'qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20' . Use --debug to show entire stack trace.
Traceback (most recent call last):
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 6925, in <module>
    main(sys.argv)
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 6905, in main
    out = an.parse(text)
          ^^^^^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 2285, in parse
    self.results[testName] = testFunc()
                             ^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 5209, in testReceived
    vers = SMTPHeadersAnalysis.parseExchangeVersion(obj['ver'])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 2107, in parseExchangeVersion
    lookupparsed = packaging.version.parse(lookup)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/anaconda3/lib/python3.11/site-packages/packaging/version.py", line 52, in parse
    return Version(version)
           ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/anaconda3/lib/python3.11/site-packages/packaging/version.py", line 198, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: 'qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20'

Erroneous identification of mail address in test 18 (Identified Sender Addresses)

Hello,
during the headers analisys of the sender addresses, the script recognize as different the addresses in the From and Return-Path if, in the From headers, the address is specified in the form
"Description" [email protected]

In my case, in example, I have this headers:

To: [email protected]
From: Luigi Bianchi <[email protected]>
Subject: Test 
Return-Path: [email protected]

The mail sender is the same address, only written in 2 different ways, but both allowed (cfr. RFC5322 - § 3.4), but the script recognize them as different address and issues a spoofing warning.

-----------------------------------------
(18) Test: Identified Sender Addresses

HEADER:

    - Return-Path
    - From


DESCRIPTION:
    Sender's address was found in 2 different SMTP headers.

VALUE:
    - [email protected]
    - [email protected] 

ANALYSIS:

- Identified sender addresses (2):

        - Return-Path         : [email protected]
        - From                : [email protected]

- WARNING! Not all sender addresses match each other - potential Mail Spoofing!
- See here for more info: https://blog.shiraj.com/2020/05/email-spoofing/

There is a sanitizing of the address before comparison, but it is uncorrect. The address to be extracted, if there are angle brackets, should be only that inside the brackets, ignoring the description.

Office365 anti-spam rules: empiric tests led to decoding of two rules (42882007 and 78352004)

Hi there,
While performing some empiric tests during an engagement, abusing MS Direct Sender for spoofing purposes, I noticed that (while using the exact same email pretext) the antispam rules 42882007 and 78352004 are matched when a replyTo address is missing. In this context this has been confirmed and easily fixed by adding the -ReplyTo flag while sending the email from Azure CloudShell with the Send-MailMessage command.

X-Authenticated-Sender header

The X-Authenticated-Sender header might be interesting to display. It's syntax is like:

X-Authenticated-Sender: [email protected]

It appears to show the 'real' sender (mailserver account of sender) if the From: address is overridden to something else in the senders mail client.

This ticket used to read something different. In the end it was a customer who tried to send mail as us, from his ISP mailserver. Which is understandably blocked by Gmail. Sorry for the confusion. The header is still interesting.