def sendArf(item, spam=False):
global reportSender
global mailSmtp
global reportEmailCc
global reportEmailSpamCc
msg = MIMEBase('multipart', 'report')
msg.set_param('report-type', 'feedback-report', requote=False)
msg["To"] = str(item['emailAbuse'])
msg["From"] = reportSender
msg["Subject"] = "Abuse report for: " + str(item['subject'])
if spam:
text = "This is an email in the abuse report format (ARF) for an email message coming via these \r\n"
text = text + "IPs " + str(item['sourceIp']) + " on " + str(
item['arrivalDate']) + ".\r\n"
text = text + "This report indicates that the attached email was not wanted by the recipient.\r\n"
text = text + "This report may indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n"
text = text + "This ARF report contains all the information you will need to assess the problem.\r\n"
text = text + "The zip attachment is the complete email encrypted with the password " + str(
arfPassword) + "\r\n"
text = text + "For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n"
else:
text = "This is an email in the abuse report format (ARF) for an email message received from \r\n"
text = text + "IP " + str(item['sourceIp']) + " " + str(
item['sourceDomain']) + " on " + str(
item['arrivalDate']) + " UTC.\r\n"
text = text + "This report likely indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n"
text = text + "The attached email was selected amongst emails that failed DMARC,\r\n"
text = text + "therefore it indicates that the author tried to pass for someone else\r\n"
text = text + "indicating fraud and not spam. The faster you fix or isolate the compromised machine, \r\n"
text = text + "the better you protect your customers or members and the Internet at large.\r\n\r\n"
text = text + "This ARF report contains all the information you will need to assess the problem.\r\n"
text = text + "The zip attachment is the complete email encrypted with the password " + str(
arfPassword) + "\r\n"
text = text + "For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n"
msgtxt = MIMEText(text)
msg.attach(msgtxt)
msgreport = MIMEBase('message', "feedback-report")
msgreport.set_charset("US-ASCII")
if spam:
text = "Feedback-Type: abuse\r\n"
else:
text = "Feedback-Type: fraud\r\n"
text = text + "User-Agent: pyforensic/1.1\r\n"
text = text + "Version: 1.0\r\n"
if not spam:
text = text + "Source-IP: " + str(item['sourceIp']) + "\r\n"
else:
ipList = item['sourceIp'].split(", ")
for ip in ipList:
text = text + "Source-IP: " + str(ip) + "\r\n"
text = text + "Arrival-Date: " + str(item['arrivalDate']) + " UTC\r\n"
text = text + "Attachment-Password: "******"\r\n"
if 'urlList' in item:
for uri in item['urlList']:
o = urlparse.urlparse(uri)
urlReport = True
if o.hostname is not None:
for domain in wldomain:
if o.hostname[-len(domain):] == domain:
urlReport = False
if urlReport == True:
text = text + "Reported-Uri: " + str(uri) + "\r\n"
msgreport.set_payload(text)
msg.attach(msgreport)
#msgrfc822 = MIMEBase('message', "rfc822")
msgrfc822 = MIMEBase('text', "rfc822-headers")
msgrfc822.add_header('Content-Disposition', 'inline')
parts = re.split(r'\r\n\r\n|\n\n', item['content'])
rfc822headers = parts[0]
#msgrfc822.set_payload(item['content'])
msgrfc822.set_payload(rfc822headers)
msg.attach(msgrfc822)
#prepare the zip encrypted
temp = tempfile.NamedTemporaryFile(prefix='mail',
suffix='.eml',
delete=False)
tempname = temp.name
temp.write(item['content'])
temp.flush()
ziptemp = tempfile.NamedTemporaryFile(prefix='mail',
suffix='.zip',
delete=True)
ziptempname = ziptemp.name
ziptemp.close()
workdir = os.path.dirname(ziptempname)
filenamezip = os.path.basename(ziptempname)
filenameemail = os.path.basename(tempname)
os.chdir(workdir)
option = '-P%s' % arfPassword
rc = subprocess.call(['zip', option] + [filenamezip, filenameemail])
temp.close()
ziptemp = open(ziptempname, "r")
msgzip = MIMEBase('application', "zip")
msgzip.set_payload(ziptemp.read())
encoders.encode_base64(msgzip)
msgzip.add_header('Content-Disposition',
'attachment',
filename=filenamezip)
ziptemp.close()
msg.attach(msgzip)
#delete created files
os.remove(ziptempname)
os.remove(tempname)
#print "******************\r\n"
#print msg.as_string()
#print "******************\r\n"
s = smtplib.SMTP(mailSmtp)
# send to IP owners first
if msg["To"] != "":
toList = msg["To"].split(",")
s.sendmail(msg["From"], toList, msg.as_string())
# send a copy
reportEmail = reportEmailCc
if spam:
reportEmail = reportEmailSpamCc
if reportEmail != "":
toList = reportEmail.split(",")
for emailAddress in toList:
if msg.has_key("To"):
msg.replace_header("To", str(emailAddress))
else:
msg["To"] = str(emailAddress)
s.sendmail(msg["From"], emailAddress, msg.as_string())
s.quit()
def sendArf(item, spam=False):
global reportSender
global mailSmtp
global reportEmailCc
global reportEmailSpamCc
msg = MIMEBase('multipart','report')
msg.set_param('report-type','feedback-report',requote=False)
msg["To"] = str(item['emailAbuse'])
msg["From"] = reportSender
msg["Subject"] = "Abuse report for: "+str(item['subject'])
if spam:
text = "This is an email in the abuse report format (ARF) for an email message coming via these \r\n"
text = text+"IPs "+str(item['sourceIp'])+" on "+str(item['arrivalDate'])+".\r\n"
text = text+"This report indicates that the attached email was not wanted by the recipient.\r\n"
text = text+"This report may indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n"
text = text+"This ARF report contains all the information you will need to assess the problem.\r\n"
text = text+"The zip attachment is the complete email encrypted with the password "+str(arfPassword)+"\r\n";
text = text+"For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n";
else:
text = "This is an email in the abuse report format (ARF) for an email message received from \r\n"
text = text+"IP "+str(item['sourceIp'])+" "+str(item['sourceDomain'])+" on "+str(item['arrivalDate'])+" UTC.\r\n"
text = text+"This report likely indicates a compromised machine and may contain URLs to malware, treat with caution!\r\n\r\n"
text = text+"The attached email was selected amongst emails that failed DMARC,\r\n"
text = text+"therefore it indicates that the author tried to pass for someone else\r\n"
text = text+"indicating fraud and not spam. The faster you fix or isolate the compromised machine, \r\n"
text = text+"the better you protect your customers or members and the Internet at large.\r\n\r\n"
text = text+"This ARF report contains all the information you will need to assess the problem.\r\n"
text = text+"The zip attachment is the complete email encrypted with the password "+str(arfPassword)+"\r\n";
text = text+"For more information about this format please see http://tools.ietf.org/html/rfc5965.\r\n";
msgtxt = MIMEText(text)
msg.attach(msgtxt)
msgreport = MIMEBase('message', "feedback-report")
msgreport.set_charset("US-ASCII")
if spam:
text = "Feedback-Type: abuse\r\n"
else:
text = "Feedback-Type: fraud\r\n"
text = text + "User-Agent: pyforensic/1.1\r\n"
text = text + "Version: 1.0\r\n"
if not spam:
text = text + "Source-IP: "+str(item['sourceIp'])+"\r\n"
else:
ipList = item['sourceIp'].split(", ")
for ip in ipList:
text = text + "Source-IP: "+str(ip)+"\r\n"
text = text + "Arrival-Date: "+str(item['arrivalDate'])+" UTC\r\n"
text = text + "Attachment-Password: "******"\r\n"
if 'urlList' in item:
for uri in item['urlList']:
o = urlparse.urlparse(uri)
urlReport=True
if o.hostname is not None:
for domain in wldomain:
if o.hostname[-len(domain):]==domain:
urlReport=False
if urlReport==True:
text = text + "Reported-Uri: "+str(uri)+"\r\n"
msgreport.set_payload(text)
msg.attach(msgreport)
#msgrfc822 = MIMEBase('message', "rfc822")
msgrfc822 = MIMEBase('text', "rfc822-headers")
msgrfc822.add_header('Content-Disposition','inline')
parts=re.split(r'\r\n\r\n|\n\n',item['content'])
rfc822headers=parts[0]
#msgrfc822.set_payload(item['content'])
msgrfc822.set_payload(rfc822headers)
msg.attach(msgrfc822)
#prepare the zip encrypted
temp=tempfile.NamedTemporaryFile(prefix='mail',suffix='.eml',delete=False)
tempname=temp.name
temp.write(item['content'])
temp.flush()
ziptemp = tempfile.NamedTemporaryFile(prefix='mail',suffix='.zip',delete=True)
ziptempname=ziptemp.name
ziptemp.close()
workdir = os.path.dirname(ziptempname)
filenamezip = os.path.basename(ziptempname)
filenameemail = os.path.basename(tempname)
os.chdir(workdir)
option = '-P%s' % arfPassword
rc = subprocess.call(['zip', option] + [filenamezip, filenameemail])
temp.close()
ziptemp = open(ziptempname,"r")
msgzip = MIMEBase('application', "zip")
msgzip.set_payload(ziptemp.read())
encoders.encode_base64(msgzip)
msgzip.add_header('Content-Disposition', 'attachment', filename=filenamezip)
ziptemp.close()
msg.attach(msgzip)
#delete created files
os.remove(ziptempname)
os.remove(tempname)
#print "******************\r\n"
#print msg.as_string()
#print "******************\r\n"
s = smtplib.SMTP(mailSmtp)
# send to IP owners first
if msg["To"] != "":
toList = msg["To"].split(",")
s.sendmail(msg["From"], toList, msg.as_string())
# send a copy
reportEmail=reportEmailCc
if spam:
reportEmail=reportEmailSpamCc
if reportEmail != "":
toList = reportEmail.split(",")
for emailAddress in toList:
if msg.has_key("To"):
msg.replace_header("To",str(emailAddress))
else:
msg["To"]=str(emailAddress)
s.sendmail(msg["From"], emailAddress, msg.as_string())
s.quit()
