def process_email(key, mail_request): """Function processes the email into a dictionary, which is then passed to the salmonconclude module. Args: key (str): Name of the file being processed. mail_request (MailRequest): Instance of the MailRequest class with eml data. Returns: int: Final email rating when the environmental variable SALMON_SETTINGS_MODULE is set. """ mail_fields = { "to": [], "reply-to": "", "from": "", "from_name": "", "subject": "", "date": "", "text": "", "html": "", "attachmentFileName": [], "attachmentFile": [], "undecodeAttachmentFile": [], "links": [], "ssdeep": "", "len": "", "s_id": "", } p = email.parser.BytesParser() msg = p.parsebytes(mail_request.Data) code = None if get_recipient(msg, mail_fields) == Code.ERROR: code = Code.UNDELIVERABLE elif get_sender(msg, mail_fields) == Code.ERROR: code = Code.UNDELIVERABLE elif get_email_parts(msg, mail_fields) == Code.ERROR: code = Code.UNDELIVERABLE get_reply_to(msg, mail_fields) get_subject(msg, mail_fields) get_links(msg, mail_fields) mail_fields["date"] = datetime.timestamp(datetime.today()) if get_ssdeep(msg, mail_fields) == Code.ERROR: code = Code.UNDELIVERABLE elif get_email_id(msg, mail_fields) == Code.ERROR: code = Code.UNDELIVERABLE if code == Code.UNDELIVERABLE: logging.error( "[-] (salmonmailparser.py) - Some issue in parsing file %s" % key) move_to_undeliverable(key) return None if not "SALMON_SETTINGS_MODULE" in os.environ: salmonconclude.conclude(mail_fields, key, mail_request) return mail_fields
def test_rating_100_2(self, f_sender, f_recipient, f_mail_fields_dict): """Test email which already in test_emails table in db""" test_email = TestMail(self.mail_fields1) push_email_into_db(self.mail_fields1, test_email, [self.recipient1], self.sender1) self.mail_fields_dict5 = { "text": " ".join([self.body_plain1]), "html": "", "subject": self.subject1, "from": self.email1, "from_name": "", "to": [(self.email1, self.name1)], "date": 1587298372.484211, "attachmentFileName": [], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 100
def test_rating_100_3(self, f_mail_fields_dict): """Match against the rule file""" utils.settings.data["relay"]["use_rule_file"] = True with open("./testing_rules.json") as json_file: utils.settings.rules = json.load(json_file) self.mail_fields_dict5 = { "text": "example body_plain", "html": "", "subject": self.subject1, "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587298372.484211, "attachmentFileName": [], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 100
def test_rating_50(self, f_links, f_settings, f_mail_fields_dict): """Test email with link (which is already in db three times) and username in body_plain""" push_into_db(self.settings1) self.f_link4 = Link(self.link2, 3, 60) push_into_db(self.f_link4) self.mail_fields_dict5 = { "text": " ".join([self.body_plain1, self.username1, self.link2]), "html": "", "subject": self.subject1, "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587322973.484211, "attachmentFileName": [], "links": [self.link2], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 50
def test_rating_30(self, f_settings, f_mail_fields_dict): """Test email with the username in body_plain, body_plain is very long""" push_into_db(self.settings1) self.body_plain5 = (self.generator.paragraph() + "\n" + self.generator.paragraph()) self.mail_fields_dict5 = { "text": " ".join([self.body_plain5, self.username1]), "html": "", "subject": self.subject1, "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587322973.484211, "attachmentFileName": [], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 30
def test_rating_100_1(self, f_password): """Test email with the password in body_plain""" self.password4 = "changeme" self.username4 = "changeme" self.settings4 = Settings(username=self.username4, password=self.password4) push_into_db(self.settings4) mail_request = MailRequest(self.eml_file1, None, None, self.eml_content(self.eml_file1)) mail_fields = process_email(self.eml_file1, mail_request) rating = conclude(mail_fields, self.eml_file1, mail_request) assert rating == 100
def run(files, directory, mtimes): mail_fields = None for file_name in files: mail_request = MailRequest( file_name, None, None, eml_content(file_name, directory) ) mail_fields = process_email(file_name, mail_request) if mail_fields: mtime = mtimes[file_name] mail_fields["date"] = mtime rating = conclude(mail_fields, file_name, mail_request) if rating >= 70 and RELAYED < 13: RELAYED += 1
def test_rating_70(self, f_mail_fields_dict): """Test email with honeypot IP address in subject""" self.mail_fields_dict5 = { "text": " ".join([self.body_plain2]), "html": "", "subject": self.ip, "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587322973.484211, "attachmentFileName": [], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 70
def test_rating_55(self, f_settings, f_mail_fields_dict): """Test email with the username in body_plain and test time""" push_into_db(self.settings1) self.mail_fields_dict5 = { "text": " ".join([self.body_plain1, self.username1]), "html": "", "subject": self.subject1, "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587298372.484211, "attachmentFileName": [], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 55
def test_rating_0(self, f_settings, f_mail_fields_dict): """Test email with attachment and word test in subject""" push_into_db(self.settings1) self.mail_fields_dict5 = { "text": " ".join([self.body_plain2]), "html": "", "subject": " ".join(["test"]), "from": self.email1, "from_name": "", "to": [(self.email2, "")], "date": 1587322973.484211, "attachmentFileName": ["test.doc"], "links": [], } self.mail_fields_dict5["len"] = ( len(self.mail_fields_dict5["html"]) + len(self.mail_fields_dict5["subject"]) + len(self.mail_fields_dict5["text"])) self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash( self.mail_fields_dict5) rating = conclude(self.mail_fields_dict5, self.fake_eml_file, self.fake_mail_request) assert rating == 0