def sendArf(item, spam=False): global reportSender global mailSmtp global reportEmailCc global reportEmailSpamCc msg = MIMEBase('multipart', 'report') msg.set_param('report-type', 'feedback-report', requote=False) msg["To"] = str(item['emailAbuse']) msg["From"] = reportSender msg["Subject"] = "Abuse report for: " + str(item['subject']) if spam: text = "This is an email in the abuse report format (ARF) for an email message coming via these \r\n" text = text + "IPs " + str(item['sourceIp']) + " on " + str( item['arrivalDate']) + ".\r\n" text = text + "This report indicates that the attached email was not wanted by the recipient.\r\n" text = text + "This report may indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n" text = text + "This ARF report contains all the information you will need to assess the problem.\r\n" text = text + "The zip attachment is the complete email encrypted with the password " + str( arfPassword) + "\r\n" text = text + "For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n" else: text = "This is an email in the abuse report format (ARF) for an email message received from \r\n" text = text + "IP " + str(item['sourceIp']) + " " + str( item['sourceDomain']) + " on " + str( item['arrivalDate']) + " UTC.\r\n" text = text + "This report likely indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n" text = text + "The attached email was selected amongst emails that failed DMARC,\r\n" text = text + "therefore it indicates that the author tried to pass for someone else\r\n" text = text + "indicating fraud and not spam. The faster you fix or isolate the compromised machine, \r\n" text = text + "the better you protect your customers or members and the Internet at large.\r\n\r\n" text = text + "This ARF report contains all the information you will need to assess the problem.\r\n" text = text + "The zip attachment is the complete email encrypted with the password " + str( arfPassword) + "\r\n" text = text + "For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n" msgtxt = MIMEText(text) msg.attach(msgtxt) msgreport = MIMEBase('message', "feedback-report") msgreport.set_charset("US-ASCII") if spam: text = "Feedback-Type: abuse\r\n" else: text = "Feedback-Type: fraud\r\n" text = text + "User-Agent: pyforensic/1.1\r\n" text = text + "Version: 1.0\r\n" if not spam: text = text + "Source-IP: " + str(item['sourceIp']) + "\r\n" else: ipList = item['sourceIp'].split(", ") for ip in ipList: text = text + "Source-IP: " + str(ip) + "\r\n" text = text + "Arrival-Date: " + str(item['arrivalDate']) + " UTC\r\n" text = text + "Attachment-Password: "******"\r\n" if 'urlList' in item: for uri in item['urlList']: o = urlparse.urlparse(uri) urlReport = True if o.hostname is not None: for domain in wldomain: if o.hostname[-len(domain):] == domain: urlReport = False if urlReport == True: text = text + "Reported-Uri: " + str(uri) + "\r\n" msgreport.set_payload(text) msg.attach(msgreport) #msgrfc822 = MIMEBase('message', "rfc822") msgrfc822 = MIMEBase('text', "rfc822-headers") msgrfc822.add_header('Content-Disposition', 'inline') parts = re.split(r'\r\n\r\n|\n\n', item['content']) rfc822headers = parts[0] #msgrfc822.set_payload(item['content']) msgrfc822.set_payload(rfc822headers) msg.attach(msgrfc822) #prepare the zip encrypted temp = tempfile.NamedTemporaryFile(prefix='mail', suffix='.eml', delete=False) tempname = temp.name temp.write(item['content']) temp.flush() ziptemp = tempfile.NamedTemporaryFile(prefix='mail', suffix='.zip', delete=True) ziptempname = ziptemp.name ziptemp.close() workdir = os.path.dirname(ziptempname) filenamezip = os.path.basename(ziptempname) filenameemail = os.path.basename(tempname) os.chdir(workdir) option = '-P%s' % arfPassword rc = subprocess.call(['zip', option] + [filenamezip, filenameemail]) temp.close() ziptemp = open(ziptempname, "r") msgzip = MIMEBase('application', "zip") msgzip.set_payload(ziptemp.read()) encoders.encode_base64(msgzip) msgzip.add_header('Content-Disposition', 'attachment', filename=filenamezip) ziptemp.close() msg.attach(msgzip) #delete created files os.remove(ziptempname) os.remove(tempname) #print "******************\r\n" #print msg.as_string() #print "******************\r\n" s = smtplib.SMTP(mailSmtp) # send to IP owners first if msg["To"] != "": toList = msg["To"].split(",") s.sendmail(msg["From"], toList, msg.as_string()) # send a copy reportEmail = reportEmailCc if spam: reportEmail = reportEmailSpamCc if reportEmail != "": toList = reportEmail.split(",") for emailAddress in toList: if msg.has_key("To"): msg.replace_header("To", str(emailAddress)) else: msg["To"] = str(emailAddress) s.sendmail(msg["From"], emailAddress, msg.as_string()) s.quit()
def sendArf(item, spam=False): global reportSender global mailSmtp global reportEmailCc global reportEmailSpamCc msg = MIMEBase('multipart','report') msg.set_param('report-type','feedback-report',requote=False) msg["To"] = str(item['emailAbuse']) msg["From"] = reportSender msg["Subject"] = "Abuse report for: "+str(item['subject']) if spam: text = "This is an email in the abuse report format (ARF) for an email message coming via these \r\n" text = text+"IPs "+str(item['sourceIp'])+" on "+str(item['arrivalDate'])+".\r\n" text = text+"This report indicates that the attached email was not wanted by the recipient.\r\n" text = text+"This report may indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n" text = text+"This ARF report contains all the information you will need to assess the problem.\r\n" text = text+"The zip attachment is the complete email encrypted with the password "+str(arfPassword)+"\r\n"; text = text+"For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n"; else: text = "This is an email in the abuse report format (ARF) for an email message received from \r\n" text = text+"IP "+str(item['sourceIp'])+" "+str(item['sourceDomain'])+" on "+str(item['arrivalDate'])+" UTC.\r\n" text = text+"This report likely indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n" text = text+"The attached email was selected amongst emails that failed DMARC,\r\n" text = text+"therefore it indicates that the author tried to pass for someone else\r\n" text = text+"indicating fraud and not spam. The faster you fix or isolate the compromised machine, \r\n" text = text+"the better you protect your customers or members and the Internet at large.\r\n\r\n" text = text+"This ARF report contains all the information you will need to assess the problem.\r\n" text = text+"The zip attachment is the complete email encrypted with the password "+str(arfPassword)+"\r\n"; text = text+"For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n"; msgtxt = MIMEText(text) msg.attach(msgtxt) msgreport = MIMEBase('message', "feedback-report") msgreport.set_charset("US-ASCII") if spam: text = "Feedback-Type: abuse\r\n" else: text = "Feedback-Type: fraud\r\n" text = text + "User-Agent: pyforensic/1.1\r\n" text = text + "Version: 1.0\r\n" if not spam: text = text + "Source-IP: "+str(item['sourceIp'])+"\r\n" else: ipList = item['sourceIp'].split(", ") for ip in ipList: text = text + "Source-IP: "+str(ip)+"\r\n" text = text + "Arrival-Date: "+str(item['arrivalDate'])+" UTC\r\n" text = text + "Attachment-Password: "******"\r\n" if 'urlList' in item: for uri in item['urlList']: o = urlparse.urlparse(uri) urlReport=True if o.hostname is not None: for domain in wldomain: if o.hostname[-len(domain):]==domain: urlReport=False if urlReport==True: text = text + "Reported-Uri: "+str(uri)+"\r\n" msgreport.set_payload(text) msg.attach(msgreport) #msgrfc822 = MIMEBase('message', "rfc822") msgrfc822 = MIMEBase('text', "rfc822-headers") msgrfc822.add_header('Content-Disposition','inline') parts=re.split(r'\r\n\r\n|\n\n',item['content']) rfc822headers=parts[0] #msgrfc822.set_payload(item['content']) msgrfc822.set_payload(rfc822headers) msg.attach(msgrfc822) #prepare the zip encrypted temp=tempfile.NamedTemporaryFile(prefix='mail',suffix='.eml',delete=False) tempname=temp.name temp.write(item['content']) temp.flush() ziptemp = tempfile.NamedTemporaryFile(prefix='mail',suffix='.zip',delete=True) ziptempname=ziptemp.name ziptemp.close() workdir = os.path.dirname(ziptempname) filenamezip = os.path.basename(ziptempname) filenameemail = os.path.basename(tempname) os.chdir(workdir) option = '-P%s' % arfPassword rc = subprocess.call(['zip', option] + [filenamezip, filenameemail]) temp.close() ziptemp = open(ziptempname,"r") msgzip = MIMEBase('application', "zip") msgzip.set_payload(ziptemp.read()) encoders.encode_base64(msgzip) msgzip.add_header('Content-Disposition', 'attachment', filename=filenamezip) ziptemp.close() msg.attach(msgzip) #delete created files os.remove(ziptempname) os.remove(tempname) #print "******************\r\n" #print msg.as_string() #print "******************\r\n" s = smtplib.SMTP(mailSmtp) # send to IP owners first if msg["To"] != "": toList = msg["To"].split(",") s.sendmail(msg["From"], toList, msg.as_string()) # send a copy reportEmail=reportEmailCc if spam: reportEmail=reportEmailSpamCc if reportEmail != "": toList = reportEmail.split(",") for emailAddress in toList: if msg.has_key("To"): msg.replace_header("To",str(emailAddress)) else: msg["To"]=str(emailAddress) s.sendmail(msg["From"], emailAddress, msg.as_string()) s.quit()