def rule19(HEADER):
if DMARC_existence(HEADER) == 0 and \
HKEY_existence(HEADER, 'received-spf') == 1 and\
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
if from_dom and rcvd_dom and rp_dom:
if (from_dom[0] not in rcvd_dom[0]) and (
from_dom[0] in rp_dom[0]
) and HEADER['received-spf'][0].startswith('pass'):
res = 'sender domain matches with return-path but not with originator, and SPF is passed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule18(HEADER):
if HKEY_existence(HEADER, 'received-spf') == 0:
if DMARC_existence(HEADER) == 0:
res = 'SPF and DMARC are missed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule17(HEADER):
if HKEY_existence(HEADER, 'received-spf') == 1:
rcvd_spf = HEADER['received-spf'][0]
if rcvd_spf.startswith('pass'):
if DMARC_existence(HEADER) == 0:
res = 'SPF is passed but DMARC is missed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule22(HEADER):
if DMARC_existence(HEADER) == 0 and\
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1 and\
HKEY_existence(HEADER, 'delivered-to')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
dlvrdto_dom = reg_domain2.findall(HEADER['delivered-to'][0])
if (from_dom[0]
in rcvd_dom[0]) and (from_dom[0] != rp_dom[0]) and (
from_dom[0] != dlvrdto_dom[0]):
if (HKEY_existence(HEADER, 'received-spf') == 0):
res = 'sender domain matches with originator and delivered-to but sender and return-path are not matched, and SPF is missed' \
'----> Likely malicious'
score = 3
elif (HKEY_existence(HEADER, 'received-spf') == 1):
if HEADER['received-spf'][0].startswith('pass'):
res = 'sender domain matches with originator and delivered-to but sender and return-path are not matched, and SPF is pass' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule21(HEADER):
if DMARC_existence(HEADER) == 0 and \
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
if (from_dom[0] not in rcvd_dom[0]) and (
from_dom[0] != rp_dom[0]) and (rp_dom[0]
not in rcvd_dom[0]):
if (HKEY_existence(HEADER, 'received-spf') == 0):
res = 'originator domain matches with return-path but not with sender, and SPF is missed' \
'----> Highly likely malicious'
score = 2
elif (HKEY_existence(HEADER, 'received-spf') == 1):
if HEADER['received-spf'][0].startswith('pass'):
res = 'originator domain matches with return-path but not with sender, and SPF is pass' \
'----> Highly likely malicious'
score = 2
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def func_Create_dataset_list(Header_Dictlist, class_type, WEIRD_KEYS,
SUB_Classifier):
# print('Generating dataset....')
if type(Header_Dictlist) != list:
temp_list = []
temp_list.append(Header_Dictlist)
Header_Dictlist = temp_list
ds_lst = []
for hdr in Header_Dictlist:
hdr_key = list(hdr.keys())
counter = Counter(hdr_key)
hdr_lst = []
try:
hdr_lst.append(int((hdr['date'][0].split()[5])))
except:
hdr_lst.append(2500)
# No. of receivers (4)
try:
hdr_lst.append(len(hdr['received']))
except:
hdr_lst.append(0)
# Contains D-KIM (5)
if 'dkim-signature' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Contains ARC_MSG_Sign(6)
if 'arc-message-signature' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Contains Authentication-Result
if 'authentication-results' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Contains any Authentication
if len(intersection(hdr_key, authentication_HKEYS)) > 0:
hdr_lst.append(1)
else:
hdr_lst.append((0))
# Contains X-original-sender
if 'x-original-sender' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# To existence
if 'to' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Received existence
if 'received' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Message_ID existence
if 'message-id' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Return_Path existence
if 'return-path' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Reply_to existence
if 'reply-to' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# InReply_to existence
if 'in-reply-to' in hdr_key:
hdr_lst.append(1)
else:
hdr_lst.append(0)
# Message-ID and From domain partial matching
try:
if reg_domain.findall(hdr['from'][0])[0] in reg_domain.findall(
hdr['message-id'][0])[0]:
hdr_lst.append(1)
else:
hdr_lst.append(0)
except:
hdr_lst.append(0)
# Message-ID and return-path domain partial matching
try:
if reg_domain.findall(
hdr['return-path'][0])[0] in reg_domain.findall(
hdr['message-id'][0])[0]:
hdr_lst.append(1)
else:
hdr_lst.append(0)
except:
hdr_lst.append(0)
# From and reply-to domain partial matching
try:
if reg_domain.findall(hdr['from'][0])[0] in reg_domain.findall(
hdr['reply-to'][0])[0]:
hdr_lst.append(1)
else:
hdr_lst.append(0)
except:
hdr_lst.append(0)
# 'subject_score',
try:
hdr_lst.append(
SUB_Classifier.predict_proba(np.array([hdr['subject'][0]
]))[0][0])
except:
hdr_lst.append(0.5)
# 'SPF (pass/fail)',
if HKEY_existence(hdr, 'received-spf') == 1:
if hdr['received-spf'][0].startswith('pass'):
hdr_lst.append(1)
else:
hdr_lst.append(0)
else:
hdr_lst.append(0)
# 'DMARC exist',
if DMARC_existence(hdr) == 1:
hdr_lst.append(1)
else:
hdr_lst.append(-1)
# 'DMARC(fail)',
if DMARC_existence(hdr) == 1:
if 'dmarc=fail' in " ".join(
hdr['authentication-results']) or 'dmarc=none' in " ".join(
hdr['authentication-results']):
hdr_lst.append(1)
else:
hdr_lst.append(0)
else:
hdr_lst.append(0)
# 'Unknown host'
if 'received' in hdr_key:
if 'unknown' in hdr['received'][len(hdr['received']) - 1]:
hdr_lst.append(1)
else:
hdr_lst.append(0)
else:
hdr_lst.append(0)
hdr_lst.append(class_type)
ds_lst.append(hdr_lst)
return ds_lst