def process_email(key, mail_request):
"""Function processes the email into a dictionary,
which is then passed to the salmonconclude module.
Args:
key (str): Name of the file being processed.
mail_request (MailRequest): Instance of the MailRequest class with eml data.
Returns:
int: Final email rating when the environmental variable SALMON_SETTINGS_MODULE is set.
"""
mail_fields = {
"to": [],
"reply-to": "",
"from": "",
"from_name": "",
"subject": "",
"date": "",
"text": "",
"html": "",
"attachmentFileName": [],
"attachmentFile": [],
"undecodeAttachmentFile": [],
"links": [],
"ssdeep": "",
"len": "",
"s_id": "",
}
p = email.parser.BytesParser()
msg = p.parsebytes(mail_request.Data)
code = None
if get_recipient(msg, mail_fields) == Code.ERROR:
code = Code.UNDELIVERABLE
elif get_sender(msg, mail_fields) == Code.ERROR:
code = Code.UNDELIVERABLE
elif get_email_parts(msg, mail_fields) == Code.ERROR:
code = Code.UNDELIVERABLE
get_reply_to(msg, mail_fields)
get_subject(msg, mail_fields)
get_links(msg, mail_fields)
mail_fields["date"] = datetime.timestamp(datetime.today())
if get_ssdeep(msg, mail_fields) == Code.ERROR:
code = Code.UNDELIVERABLE
elif get_email_id(msg, mail_fields) == Code.ERROR:
code = Code.UNDELIVERABLE
if code == Code.UNDELIVERABLE:
logging.error(
"[-] (salmonmailparser.py) - Some issue in parsing file %s" % key)
move_to_undeliverable(key)
return None
if not "SALMON_SETTINGS_MODULE" in os.environ:
salmonconclude.conclude(mail_fields, key, mail_request)
return mail_fields
def test_rating_100_2(self, f_sender, f_recipient, f_mail_fields_dict):
"""Test email which already in test_emails table in db"""
test_email = TestMail(self.mail_fields1)
push_email_into_db(self.mail_fields1, test_email, [self.recipient1],
self.sender1)
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain1]),
"html": "",
"subject": self.subject1,
"from": self.email1,
"from_name": "",
"to": [(self.email1, self.name1)],
"date": 1587298372.484211,
"attachmentFileName": [],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 100
def test_rating_100_3(self, f_mail_fields_dict):
"""Match against the rule file"""
utils.settings.data["relay"]["use_rule_file"] = True
with open("./testing_rules.json") as json_file:
utils.settings.rules = json.load(json_file)
self.mail_fields_dict5 = {
"text": "example body_plain",
"html": "",
"subject": self.subject1,
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587298372.484211,
"attachmentFileName": [],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 100
def test_rating_50(self, f_links, f_settings, f_mail_fields_dict):
"""Test email with link (which is already in db three times)
and username in body_plain"""
push_into_db(self.settings1)
self.f_link4 = Link(self.link2, 3, 60)
push_into_db(self.f_link4)
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain1, self.username1, self.link2]),
"html": "",
"subject": self.subject1,
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587322973.484211,
"attachmentFileName": [],
"links": [self.link2],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 50
def test_rating_30(self, f_settings, f_mail_fields_dict):
"""Test email with the username in body_plain, body_plain is very long"""
push_into_db(self.settings1)
self.body_plain5 = (self.generator.paragraph() + "\n" +
self.generator.paragraph())
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain5, self.username1]),
"html": "",
"subject": self.subject1,
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587322973.484211,
"attachmentFileName": [],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 30
def test_rating_100_1(self, f_password):
"""Test email with the password in body_plain"""
self.password4 = "changeme"
self.username4 = "changeme"
self.settings4 = Settings(username=self.username4,
password=self.password4)
push_into_db(self.settings4)
mail_request = MailRequest(self.eml_file1, None, None,
self.eml_content(self.eml_file1))
mail_fields = process_email(self.eml_file1, mail_request)
rating = conclude(mail_fields, self.eml_file1, mail_request)
assert rating == 100
def run(files, directory, mtimes):
mail_fields = None
for file_name in files:
mail_request = MailRequest(
file_name, None, None, eml_content(file_name, directory)
)
mail_fields = process_email(file_name, mail_request)
if mail_fields:
mtime = mtimes[file_name]
mail_fields["date"] = mtime
rating = conclude(mail_fields, file_name, mail_request)
if rating >= 70 and RELAYED < 13:
RELAYED += 1
def test_rating_70(self, f_mail_fields_dict):
"""Test email with honeypot IP address in subject"""
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain2]),
"html": "",
"subject": self.ip,
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587322973.484211,
"attachmentFileName": [],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 70
def test_rating_55(self, f_settings, f_mail_fields_dict):
"""Test email with the username in body_plain and test time"""
push_into_db(self.settings1)
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain1, self.username1]),
"html": "",
"subject": self.subject1,
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587298372.484211,
"attachmentFileName": [],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 55
def test_rating_0(self, f_settings, f_mail_fields_dict):
"""Test email with attachment and word test in subject"""
push_into_db(self.settings1)
self.mail_fields_dict5 = {
"text": " ".join([self.body_plain2]),
"html": "",
"subject": " ".join(["test"]),
"from": self.email1,
"from_name": "",
"to": [(self.email2, "")],
"date": 1587322973.484211,
"attachmentFileName": ["test.doc"],
"links": [],
}
self.mail_fields_dict5["len"] = (
len(self.mail_fields_dict5["html"]) +
len(self.mail_fields_dict5["subject"]) +
len(self.mail_fields_dict5["text"]))
self.mail_fields_dict5["ssdeep"] = get_fuzzy_hash(
self.mail_fields_dict5)
rating = conclude(self.mail_fields_dict5, self.fake_eml_file,
self.fake_mail_request)
assert rating == 0