header_analyzer.py

import re

def analyze_headers(headers):
    findings = []
    score = 0

    # --- 1. SPF / DKIM / DMARC checks ---
    auth_results = headers.get("Authentication-Results", "")
    if "dkim=fail" in auth_results.lower() or "dkim=permerror" in auth_results.lower():
        findings.append("Header: DKIM check failed")
        score += 25
    if "spf=fail" in auth_results.lower():
        findings.append("Header: SPF check failed")
        score += 25
    if "dmarc=fail" in auth_results.lower():
        findings.append("Header: DMARC check failed")
        score += 25

    # --- 2. From / Reply-To mismatch ---
    from_addr = headers.get("From", "")
    reply_to = headers.get("Reply-To", "")
    if reply_to and reply_to not in from_addr:
        findings.append(f"Header: Reply-To mismatch (From: {from_addr}, Reply-To: {reply_to})")
        score += 20

    # --- 3. Suspicious sender domain ---
    sender = headers.get("From", "")
    match = re.search(r'@([a-zA-Z0-9.-]+)', sender)
    if match:
        domain = match.group(1).lower()
        if any(free in domain for free in ["gmail.com", "yahoo.com", "outlook.com"]):
            findings.append(f"Header: Free email provider used ({domain})")
            score += 10
        if len(domain.split(".")) > 3 or any(char.isdigit() for char in domain.split(".")[0]):
            findings.append(f"Header: Suspicious-looking domain ({domain})")
            score += 15

    # --- 4. Unusual 'To' or 'BCC' patterns ---
    if "bcc" in headers:
        findings.append("Header: Email sent with BCC (common in mass phishing)")
        score += 15

    if not findings:
        return ["No suspicious issues found in headers."], 0

    return findings, score