Spaces:
Running
Running
File size: 1,716 Bytes
14fecff 49f1a98 14fecff 49f1a98 14fecff 49f1a98 14fecff 49f1a98 14fecff 49f1a98 14fecff 49f1a98 14fecff 49f1a98 14fecff |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 |
import re
def analyze_headers(headers):
findings = []
score = 0
# --- 1. SPF / DKIM / DMARC checks ---
auth_results = headers.get("Authentication-Results", "")
if "dkim=fail" in auth_results.lower() or "dkim=permerror" in auth_results.lower():
findings.append("Header: DKIM check failed")
score += 25
if "spf=fail" in auth_results.lower():
findings.append("Header: SPF check failed")
score += 25
if "dmarc=fail" in auth_results.lower():
findings.append("Header: DMARC check failed")
score += 25
# --- 2. From / Reply-To mismatch ---
from_addr = headers.get("From", "")
reply_to = headers.get("Reply-To", "")
if reply_to and reply_to not in from_addr:
findings.append(f"Header: Reply-To mismatch (From: {from_addr}, Reply-To: {reply_to})")
score += 20
# --- 3. Suspicious sender domain ---
sender = headers.get("From", "")
match = re.search(r'@([a-zA-Z0-9.-]+)', sender)
if match:
domain = match.group(1).lower()
if any(free in domain for free in ["gmail.com", "yahoo.com", "outlook.com"]):
findings.append(f"Header: Free email provider used ({domain})")
score += 10
if len(domain.split(".")) > 3 or any(char.isdigit() for char in domain.split(".")[0]):
findings.append(f"Header: Suspicious-looking domain ({domain})")
score += 15
# --- 4. Unusual 'To' or 'BCC' patterns ---
if "bcc" in headers:
findings.append("Header: Email sent with BCC (common in mass phishing)")
score += 15
if not findings:
return ["No suspicious issues found in headers."], 0
return findings, score
|