Spaces:
Sleeping
Sleeping
Update header_analyzer.py
Browse files- header_analyzer.py +23 -10
header_analyzer.py
CHANGED
|
@@ -16,52 +16,65 @@ BRAND_OFFICIAL = {
|
|
| 16 |
# Suspicious / cheap TLDs often abused
|
| 17 |
SUSPICIOUS_TLDS = {"info", "xyz", "top", "click", "work", "loan", "tk"}
|
| 18 |
|
|
|
|
| 19 |
def get_domain_age_days(domain: str):
|
| 20 |
"""Return domain age in days (or None if lookup fails)."""
|
| 21 |
try:
|
| 22 |
w = whois.whois(domain)
|
| 23 |
creation_date = w.creation_date
|
| 24 |
-
|
|
|
|
|
|
|
| 25 |
creation_date = creation_date[0]
|
| 26 |
-
if creation_date:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 27 |
return (datetime.now() - creation_date).days
|
| 28 |
-
except Exception:
|
|
|
|
|
|
|
| 29 |
return None
|
| 30 |
return None
|
| 31 |
|
|
|
|
| 32 |
def parse_auth_results(auth_header: str):
|
| 33 |
"""
|
| 34 |
Parse the Authentication-Results header and return a readable summary.
|
| 35 |
"""
|
| 36 |
auth_header = (auth_header or "").lower()
|
| 37 |
findings = []
|
| 38 |
-
|
| 39 |
if not auth_header:
|
| 40 |
return "No Authentication-Results header found"
|
| 41 |
-
|
| 42 |
# SPF
|
| 43 |
if "spf=pass" in auth_header:
|
| 44 |
findings.append("SPF passed")
|
| 45 |
elif "spf=fail" in auth_header:
|
| 46 |
findings.append("SPF failed")
|
| 47 |
-
|
| 48 |
# DKIM
|
| 49 |
if "dkim=pass" in auth_header:
|
| 50 |
findings.append("DKIM passed")
|
| 51 |
elif "dkim=fail" in auth_header or "dkim=permerror" in auth_header:
|
| 52 |
findings.append("DKIM failed")
|
| 53 |
-
|
| 54 |
# DMARC
|
| 55 |
if "dmarc=pass" in auth_header:
|
| 56 |
findings.append("DMARC passed")
|
| 57 |
elif "dmarc=fail" in auth_header:
|
| 58 |
findings.append("DMARC failed")
|
| 59 |
-
|
| 60 |
if not findings:
|
| 61 |
return "Authentication results unclear or missing"
|
| 62 |
-
|
| 63 |
return ", ".join(findings)
|
| 64 |
|
|
|
|
| 65 |
def analyze_headers(headers, body=""):
|
| 66 |
"""
|
| 67 |
Input: headers dict, optional body text
|
|
@@ -126,7 +139,7 @@ def analyze_headers(headers, body=""):
|
|
| 126 |
findings.append(f"Header: Suspicious/abused TLD used ({tld})")
|
| 127 |
score += 20
|
| 128 |
|
| 129 |
-
# Domain age check
|
| 130 |
age_days = get_domain_age_days(from_domain)
|
| 131 |
if age_days is not None and age_days < 90:
|
| 132 |
findings.append(f"Header: Domain {from_domain} is very new ({age_days} days old)")
|
|
|
|
| 16 |
# Suspicious / cheap TLDs often abused
|
| 17 |
SUSPICIOUS_TLDS = {"info", "xyz", "top", "click", "work", "loan", "tk"}
|
| 18 |
|
| 19 |
+
|
| 20 |
def get_domain_age_days(domain: str):
|
| 21 |
"""Return domain age in days (or None if lookup fails)."""
|
| 22 |
try:
|
| 23 |
w = whois.whois(domain)
|
| 24 |
creation_date = w.creation_date
|
| 25 |
+
|
| 26 |
+
# Handle weird formats
|
| 27 |
+
if isinstance(creation_date, list) and creation_date:
|
| 28 |
creation_date = creation_date[0]
|
| 29 |
+
if isinstance(creation_date, str):
|
| 30 |
+
try:
|
| 31 |
+
creation_date = datetime.fromisoformat(creation_date)
|
| 32 |
+
except Exception:
|
| 33 |
+
creation_date = None
|
| 34 |
+
|
| 35 |
+
if creation_date and isinstance(creation_date, datetime):
|
| 36 |
return (datetime.now() - creation_date).days
|
| 37 |
+
except Exception as e:
|
| 38 |
+
# Do not crash if WHOIS fails on Hugging Face
|
| 39 |
+
print(f"[WHOIS ERROR] Could not fetch age for {domain}: {e}")
|
| 40 |
return None
|
| 41 |
return None
|
| 42 |
|
| 43 |
+
|
| 44 |
def parse_auth_results(auth_header: str):
|
| 45 |
"""
|
| 46 |
Parse the Authentication-Results header and return a readable summary.
|
| 47 |
"""
|
| 48 |
auth_header = (auth_header or "").lower()
|
| 49 |
findings = []
|
| 50 |
+
|
| 51 |
if not auth_header:
|
| 52 |
return "No Authentication-Results header found"
|
| 53 |
+
|
| 54 |
# SPF
|
| 55 |
if "spf=pass" in auth_header:
|
| 56 |
findings.append("SPF passed")
|
| 57 |
elif "spf=fail" in auth_header:
|
| 58 |
findings.append("SPF failed")
|
| 59 |
+
|
| 60 |
# DKIM
|
| 61 |
if "dkim=pass" in auth_header:
|
| 62 |
findings.append("DKIM passed")
|
| 63 |
elif "dkim=fail" in auth_header or "dkim=permerror" in auth_header:
|
| 64 |
findings.append("DKIM failed")
|
| 65 |
+
|
| 66 |
# DMARC
|
| 67 |
if "dmarc=pass" in auth_header:
|
| 68 |
findings.append("DMARC passed")
|
| 69 |
elif "dmarc=fail" in auth_header:
|
| 70 |
findings.append("DMARC failed")
|
| 71 |
+
|
| 72 |
if not findings:
|
| 73 |
return "Authentication results unclear or missing"
|
| 74 |
+
|
| 75 |
return ", ".join(findings)
|
| 76 |
|
| 77 |
+
|
| 78 |
def analyze_headers(headers, body=""):
|
| 79 |
"""
|
| 80 |
Input: headers dict, optional body text
|
|
|
|
| 139 |
findings.append(f"Header: Suspicious/abused TLD used ({tld})")
|
| 140 |
score += 20
|
| 141 |
|
| 142 |
+
# Domain age check (robust)
|
| 143 |
age_days = get_domain_age_days(from_domain)
|
| 144 |
if age_days is not None and age_days < 90:
|
| 145 |
findings.append(f"Header: Domain {from_domain} is very new ({age_days} days old)")
|