Spaces:
Sleeping
Sleeping
Update header_analyzer.py
Browse files- header_analyzer.py +36 -9
header_analyzer.py
CHANGED
|
@@ -1,19 +1,46 @@
|
|
|
|
|
|
|
|
| 1 |
def analyze_headers(headers):
|
| 2 |
findings = []
|
|
|
|
| 3 |
|
| 4 |
-
#
|
| 5 |
-
auth_results = headers.get("Authentication-Results", "")
|
| 6 |
-
if "
|
| 7 |
-
findings.append("Header: SPF check failed")
|
| 8 |
-
if "dkim=fail" in auth_results:
|
| 9 |
findings.append("Header: DKIM check failed")
|
| 10 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
| 11 |
findings.append("Header: DMARC check failed")
|
|
|
|
| 12 |
|
| 13 |
-
#
|
| 14 |
from_addr = headers.get("From", "")
|
| 15 |
reply_to = headers.get("Reply-To", "")
|
| 16 |
if reply_to and reply_to not in from_addr:
|
| 17 |
-
findings.append(f"Header:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18 |
|
| 19 |
-
return findings
|
|
|
|
| 1 |
+
import re
|
| 2 |
+
|
| 3 |
def analyze_headers(headers):
|
| 4 |
findings = []
|
| 5 |
+
score = 0
|
| 6 |
|
| 7 |
+
# --- 1. SPF / DKIM / DMARC checks ---
|
| 8 |
+
auth_results = headers.get("Authentication-Results", "")
|
| 9 |
+
if "dkim=fail" in auth_results.lower() or "dkim=permerror" in auth_results.lower():
|
|
|
|
|
|
|
| 10 |
findings.append("Header: DKIM check failed")
|
| 11 |
+
score += 25
|
| 12 |
+
if "spf=fail" in auth_results.lower():
|
| 13 |
+
findings.append("Header: SPF check failed")
|
| 14 |
+
score += 25
|
| 15 |
+
if "dmarc=fail" in auth_results.lower():
|
| 16 |
findings.append("Header: DMARC check failed")
|
| 17 |
+
score += 25
|
| 18 |
|
| 19 |
+
# --- 2. From / Reply-To mismatch ---
|
| 20 |
from_addr = headers.get("From", "")
|
| 21 |
reply_to = headers.get("Reply-To", "")
|
| 22 |
if reply_to and reply_to not in from_addr:
|
| 23 |
+
findings.append(f"Header: Reply-To mismatch (From: {from_addr}, Reply-To: {reply_to})")
|
| 24 |
+
score += 20
|
| 25 |
+
|
| 26 |
+
# --- 3. Suspicious sender domain ---
|
| 27 |
+
sender = headers.get("From", "")
|
| 28 |
+
match = re.search(r'@([a-zA-Z0-9.-]+)', sender)
|
| 29 |
+
if match:
|
| 30 |
+
domain = match.group(1).lower()
|
| 31 |
+
if any(free in domain for free in ["gmail.com", "yahoo.com", "outlook.com"]):
|
| 32 |
+
findings.append(f"Header: Free email provider used ({domain})")
|
| 33 |
+
score += 10
|
| 34 |
+
if len(domain.split(".")) > 3 or any(char.isdigit() for char in domain.split(".")[0]):
|
| 35 |
+
findings.append(f"Header: Suspicious-looking domain ({domain})")
|
| 36 |
+
score += 15
|
| 37 |
+
|
| 38 |
+
# --- 4. Unusual 'To' or 'BCC' patterns ---
|
| 39 |
+
if "bcc" in headers:
|
| 40 |
+
findings.append("Header: Email sent with BCC (common in mass phishing)")
|
| 41 |
+
score += 15
|
| 42 |
+
|
| 43 |
+
if not findings:
|
| 44 |
+
return ["No suspicious issues found in headers."], 0
|
| 45 |
|
| 46 |
+
return findings, score
|