def rule8_3(HEADER):
if HKEY_existence(HEADER, 'date') == 1 and HKEY_existence(
HEADER, 'received') == 1:
try:
send_date = func_tolocaltime(
reg_datetime.findall(HEADER['date'][0])[0])
receiced_idx = len(HEADER['received'])
for i in range(receiced_idx - 1, -1, -1):
try:
rec_date = func_tolocaltime(
reg_datetime.findall(HEADER['received'][i])[0])
timedelta = rec_date - send_date
break
except:
continue
if timedelta:
if timedelta.total_seconds() < 0:
res = 'Sent time is before Received time!' \
'----> Highly likely malicious'
score = 2
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule19(HEADER):
if DMARC_existence(HEADER) == 0 and \
HKEY_existence(HEADER, 'received-spf') == 1 and\
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
if from_dom and rcvd_dom and rp_dom:
if (from_dom[0] not in rcvd_dom[0]) and (
from_dom[0] in rp_dom[0]
) and HEADER['received-spf'][0].startswith('pass'):
res = 'sender domain matches with return-path but not with originator, and SPF is passed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule4(HEADER):
if HKEY_existence(HEADER, 'message-id') == 1:
res = ''
score = 0
else:
res = 'message-id does not exist!' \
'----> Definitely malicious'
score = 1
return res, score
def rule13(HEADER):
if HKEY_existence(HEADER, 'received') == 1:
res = ''
score = 0
else:
res = 'Received does not exist!' \
'----> Highly likely malicious'
score = 2
return res, score
def rule9(HEADER):
if HKEY_existence(HEADER, 'x-mailer') == 1:
res = ''
score = 0
else:
res = 'x-mailer does not exist' \
'----> Likely malicious'
score = 3
return res, score
def rule8_2(HEADER):
if HKEY_existence(HEADER, 'return-path') == 1:
res = ''
score = 0
else:
res = 'Return-path does not exist!' \
'----> Highly likely malicious'
score = 2
return res, score # rule 8 : date is empty
def rule8_1(HEADER):
if HKEY_existence(HEADER, 'to') == 1:
res = ''
score = 0
else:
res = 'To does not exist!' \
'----> Definitely malicious'
score = 1
return res, score
def rule8(HEADER):
res = ''
score = 0
if HKEY_existence(HEADER, 'date') == 1:
if not HEADER['date']:
res = 'DATE has no value!' \
'----> Definitely malicious'
score = 1
if HKEY_existence(HEADER, 'to') == 1:
if not HEADER['to']:
res = 'To has no value!' \
'----> Definitely malicious'
score = 1
if HKEY_existence(HEADER, 'return-path') == 1:
if not HEADER['return-path']:
res = 'Return-Path has no value!' \
'----> Definitely malicious'
score = 1
else:
pass
return res, score
def rule21(HEADER):
if DMARC_existence(HEADER) == 0 and \
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
if (from_dom[0] not in rcvd_dom[0]) and (
from_dom[0] != rp_dom[0]) and (rp_dom[0]
not in rcvd_dom[0]):
if (HKEY_existence(HEADER, 'received-spf') == 0):
res = 'originator domain matches with return-path but not with sender, and SPF is missed' \
'----> Highly likely malicious'
score = 2
elif (HKEY_existence(HEADER, 'received-spf') == 1):
if HEADER['received-spf'][0].startswith('pass'):
res = 'originator domain matches with return-path but not with sender, and SPF is pass' \
'----> Highly likely malicious'
score = 2
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule18(HEADER):
if HKEY_existence(HEADER, 'received-spf') == 0:
if DMARC_existence(HEADER) == 0:
res = 'SPF and DMARC are missed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule11(HEADER):
if HKEY_existence(HEADER, 'subject') == 1:
subject = HEADER['subject'][0]
if special_chars.search(subject) == None:
res = ''
score = 0
else:
res = 'Subject contains special characters!' \
'----> Highly likely malicious'
score = 2
else:
res = 'Subject does not exist!'
score = 0
return res, score
def rule10(HEADER):
if HKEY_existence(HEADER, 'x-mailer') == 1:
xmlr = HEADER['x-mailer'][0]
if len(xmlr) > 5:
res = ''
score = 0
else:
res = 'X-mailer value is not legit!' \
'----> Definitely malicious'
score = 1
else:
# alert_HKEY('x-mailer')
res = ''
score = 0
return res, score
def rule17(HEADER):
if HKEY_existence(HEADER, 'received-spf') == 1:
rcvd_spf = HEADER['received-spf'][0]
if rcvd_spf.startswith('pass'):
if DMARC_existence(HEADER) == 0:
res = 'SPF is passed but DMARC is missed' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
return res, score
def rule22(HEADER):
if DMARC_existence(HEADER) == 0 and\
HKEY_existence(HEADER, 'from')==1 and\
HKEY_existence(HEADER, 'received')==1 and\
HKEY_existence(HEADER, 'return-path')==1 and\
HKEY_existence(HEADER, 'delivered-to')==1:
try:
from_dom = reg_domain2.findall(HEADER['from'][0])
rcvd_dom = reg_domain2.findall(
HEADER['received'][len(HEADER['received']) - 1])
rp_dom = reg_domain2.findall(HEADER['return-path'][0])
dlvrdto_dom = reg_domain2.findall(HEADER['delivered-to'][0])
if (from_dom[0]
in rcvd_dom[0]) and (from_dom[0] != rp_dom[0]) and (
from_dom[0] != dlvrdto_dom[0]):
if (HKEY_existence(HEADER, 'received-spf') == 0):
res = 'sender domain matches with originator and delivered-to but sender and return-path are not matched, and SPF is missed' \
'----> Likely malicious'
score = 3
elif (HKEY_existence(HEADER, 'received-spf') == 1):
if HEADER['received-spf'][0].startswith('pass'):
res = 'sender domain matches with originator and delivered-to but sender and return-path are not matched, and SPF is pass' \
'----> Likely malicious'
score = 3
else:
res = ''
score = 0
else:
res = ''
score = 0
else:
res = ''
score = 0
except:
res = ''
score = 0
else:
res = ''
score = 0
return res, score