Spaces:
Sleeping
Sleeping
Update analyze_email_main.py
Browse files- analyze_email_main.py +20 -8
analyze_email_main.py
CHANGED
|
@@ -3,13 +3,27 @@ from parse_email import parse_email
|
|
| 3 |
from header_analyzer import analyze_headers
|
| 4 |
from body_analyzer import analyze_body
|
| 5 |
from url_analyzer import analyze_urls
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 6 |
|
| 7 |
def analyze(file_path):
|
| 8 |
# parse
|
| 9 |
headers, subject, body, urls, images = parse_email(file_path)
|
| 10 |
|
| 11 |
# header analysis
|
| 12 |
-
header_findings, header_score = analyze_headers(headers or {})
|
| 13 |
|
| 14 |
# url analysis (keeps previous checks like Safe Browsing / URLHaus)
|
| 15 |
url_findings, url_score = analyze_urls(urls or [])
|
|
@@ -20,10 +34,8 @@ def analyze(file_path):
|
|
| 20 |
# combine scores
|
| 21 |
total_score = 0
|
| 22 |
total_score += (header_score or 0)
|
| 23 |
-
# weight body
|
| 24 |
-
total_score += (
|
| 25 |
-
# weight urls also (url analyzer already returns a score)
|
| 26 |
-
total_score += (url_score or 0) * 1.2
|
| 27 |
|
| 28 |
# clamp
|
| 29 |
try:
|
|
@@ -33,7 +45,7 @@ def analyze(file_path):
|
|
| 33 |
total_score = max(0.0, min(total_score, 100.0))
|
| 34 |
total_score_rounded = round(total_score)
|
| 35 |
|
| 36 |
-
# final verdict
|
| 37 |
if total_score >= 70:
|
| 38 |
verdict = "π¨ Malicious"
|
| 39 |
elif 50 <= total_score < 70:
|
|
@@ -43,7 +55,7 @@ def analyze(file_path):
|
|
| 43 |
else:
|
| 44 |
verdict = "β
Safe"
|
| 45 |
|
| 46 |
-
# attack type heuristics
|
| 47 |
attack_type = "General Phishing"
|
| 48 |
combined_text_lower = ((subject or "") + "\n" + (body or "")).lower()
|
| 49 |
if any(k in combined_text_lower for k in ["invoice", "payment", "wire transfer", "bank details"]):
|
|
@@ -86,13 +98,13 @@ def analyze(file_path):
|
|
| 86 |
"Body Findings": body_findings or [],
|
| 87 |
"URL Findings": url_findings or [],
|
| 88 |
"Highlighted Body": highlighted_body or "",
|
|
|
|
| 89 |
}
|
| 90 |
|
| 91 |
return summary, details
|
| 92 |
|
| 93 |
|
| 94 |
if __name__ == "__main__":
|
| 95 |
-
# quick local test (if you want)
|
| 96 |
fp = "sample.eml"
|
| 97 |
s, d = analyze(fp)
|
| 98 |
print("SUMMARY:", s)
|
|
|
|
| 3 |
from header_analyzer import analyze_headers
|
| 4 |
from body_analyzer import analyze_body
|
| 5 |
from url_analyzer import analyze_urls
|
| 6 |
+
import re
|
| 7 |
+
|
| 8 |
+
def parse_auth_results(auth_results: str):
|
| 9 |
+
"""Extract SPF, DKIM, and DMARC values from Authentication-Results header."""
|
| 10 |
+
results = {"spf": "unknown", "dkim": "unknown", "dmarc": "unknown"}
|
| 11 |
+
if not auth_results:
|
| 12 |
+
return results
|
| 13 |
+
auth_results = auth_results.lower()
|
| 14 |
+
for key in results.keys():
|
| 15 |
+
m = re.search(rf"{key}=([\w-]+)", auth_results)
|
| 16 |
+
if m:
|
| 17 |
+
results[key] = m.group(1)
|
| 18 |
+
return results
|
| 19 |
+
|
| 20 |
|
| 21 |
def analyze(file_path):
|
| 22 |
# parse
|
| 23 |
headers, subject, body, urls, images = parse_email(file_path)
|
| 24 |
|
| 25 |
# header analysis
|
| 26 |
+
header_findings, header_score, auth_summary = analyze_headers(headers or {})
|
| 27 |
|
| 28 |
# url analysis (keeps previous checks like Safe Browsing / URLHaus)
|
| 29 |
url_findings, url_score = analyze_urls(urls or [])
|
|
|
|
| 34 |
# combine scores
|
| 35 |
total_score = 0
|
| 36 |
total_score += (header_score or 0)
|
| 37 |
+
total_score += (body_score or 0) * 1.0 # weight body normally
|
| 38 |
+
total_score += (url_score or 0) * 1.2 # URLs a bit heavier
|
|
|
|
|
|
|
| 39 |
|
| 40 |
# clamp
|
| 41 |
try:
|
|
|
|
| 45 |
total_score = max(0.0, min(total_score, 100.0))
|
| 46 |
total_score_rounded = round(total_score)
|
| 47 |
|
| 48 |
+
# final verdict
|
| 49 |
if total_score >= 70:
|
| 50 |
verdict = "π¨ Malicious"
|
| 51 |
elif 50 <= total_score < 70:
|
|
|
|
| 55 |
else:
|
| 56 |
verdict = "β
Safe"
|
| 57 |
|
| 58 |
+
# attack type heuristics
|
| 59 |
attack_type = "General Phishing"
|
| 60 |
combined_text_lower = ((subject or "") + "\n" + (body or "")).lower()
|
| 61 |
if any(k in combined_text_lower for k in ["invoice", "payment", "wire transfer", "bank details"]):
|
|
|
|
| 98 |
"Body Findings": body_findings or [],
|
| 99 |
"URL Findings": url_findings or [],
|
| 100 |
"Highlighted Body": highlighted_body or "",
|
| 101 |
+
"Auth Results": auth_summary or {}, # <-- NEW: show SPF, DKIM, DMARC results
|
| 102 |
}
|
| 103 |
|
| 104 |
return summary, details
|
| 105 |
|
| 106 |
|
| 107 |
if __name__ == "__main__":
|
|
|
|
| 108 |
fp = "sample.eml"
|
| 109 |
s, d = analyze(fp)
|
| 110 |
print("SUMMARY:", s)
|