Skip to content

renisac/csirtg-mail-py

 
 

Repository files navigation

The FASTEST way to parse email.

$ pip install csirtg_mail
$ cat samples/email/single_plain_06.eml| csirtg-mail | jq
[
  {
    "headers": {
      "delivered-to": [
        "[email protected]"
      ],
      "received": [
        "by 10.112.40.50 with SMTP id u18csp916705lbk;\n        Sun, 19 Apr 2015 05:50:04 -0700 (PDT)",
        "from gmail.com ([61.72.137.254])\n        by mx.google.com with SMTP id s93si13575887ioe.52.2015.04.19.05.50.00\n        for <[email protected]>;\n        Sun, 19 Apr 2015 05:50:03 -0700 (PDT)"
      ],
      "x-received": [
        "by 10.42.151.4 with SMTP id c4mr13784232icw.77.1429447803846;\n        Sun, 19 Apr 2015 05:50:03 -0700 (PDT)"
      ],
      "return-path": [
        "<[email protected]>"
      ],
      "received-spf": [
        "softfail (google.com: domain of transitioning [email protected] does not designate 61.72.137.254 as permitted sender) client-ip=61.72.137.254;"
      ],
      "authentication-results": [
        "mx.google.com;\n       spf=softfail (google.com: domain of transitioning [email protected] does not designate 61.72.137.254 as permitted sender) [email protected];\n       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com"
      ],
      "message-id": [
        "<[email protected]>"
      ],
      "date": [
        "Sun, 19 Apr 2015 05:24:33 -0700"
      ],
      "reply-to": [
        "\"HENRY\" <[email protected]>"
      ],
      "from": [
        "\"HENRY\" <[email protected]>"
      ],
      "user-agent": [
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19"
      ],
      "mime-version": [
        "1.0"
      ],
      "to": [
        "<[email protected]>"
      ],
      "subject": [
        "Boost Social Presence with FB posts likes"
      ],
      "content-type": [
        "text/plain;\n    charset=\"us-ascii\""
      ],
      "content-transfer-encoding": [
        "7bit"
      ]
    },
    "mail_parts": [
      {
        "charset": "us-ascii",
        "content_id": null,
        "description": null,
        "disposition": null,
        "filename": null,
        "is_body": "text/plain",
        "sanitized_filename": null,
        "type": "text/plain",
        "decoded_body": "You may not know me and you are probably wondering why you are getting this e mail, right?\n\nI'm a hacker who cracked your email and devices a few months ago.\n\nDo not try to contact me or find me, it is impossible, since I sent you an email from YOUR hacked account.\n\nI setup a malware on the adult vids (porno) web-site and guess what, you visited this site to have fun (you know what I mean).\n\nWhile you were watching videos, your internet browser started out functioning as a RDP (Remote Control) having a keylogger which gave me accessibility to your screen and web cam.\n\nafter that, my software program obtained all of your contacts from your Phone, Messenger and email.\n\nYou entered a passwords on the websites you visited, and I intercepted it.\n\nOf course you can will change it, or already changed it.\n\nBut it doesn't matter, my malware updated it every time.\n\nWhat did I do?\n\nI backuped phone. All photo, video and contacts.\n\nI created a double-screen video. 1st part shows the video you were watching (you've got a good taste haha . . .), and 2nd part shows the recording of your web cam.\n\nexactly what should you do?\n\nWell, in my opinion, $1000 (USD) is a fair price for our little secret. You'll make the payment by Bitcoin (if you do not know this, search \"how to buy bitcoin\" in Google).\n\nMy Bitcoin wallet Address:\n\n1KhDTLk95fZQBd5tUXj4123459bBAji2DB\n\n(It is cAsE sensitive, so copy and paste it)\n\nImportant:\n\nYou have 48 hour in order to make the payment. (I've a unique pixel in this e mail, and at this moment I know that you have read through this email message).\n\nTo track the reading of a message and the actions in it, I use the facebook pixel.\n\nThanks to them. (Everything that is used for the authorities can help us.)\n\nMore you can find out by the link.\n\n\nIf I do not get the BitCoins, I will certainly send out your video recording to all of your contacts including relatives, coworkers, and so on. Having said that, if I receive the payment, I'll destroy the video immidiately. If you need evidence, reply with \"Yes!\" and I will certainly send out your video recording to your 6 contacts. It is a non-negotiable offer, that being said don't waste my personal time and yours by responding to this message.\n\n\n",
        "base64_encoded_payload": null
      }
    ],
    "urls": [],
    "btcs": [
      "1KhDTLk95fZQBd5tUXj4123459bBAji2DB"
    ],
    "body_email_addresses": []
  }
]
(csirtgmail) wes@thrall csirtg-mail-py % cat samples/email/single_plain_01.eml| csirtg-mail | jq
[
  {
    "headers": {
      "delivered-to": [
        "[email protected]"
      ],
      "received": [
        "by 10.112.40.50 with SMTP id u18csp916705lbk;\n        Sun, 19 Apr 2015 05:50:04 -0700 (PDT)",
        "from gmail.com ([61.72.137.254])\n        by mx.google.com with SMTP id s93si13575887ioe.52.2015.04.19.05.50.00\n        for <[email protected]>;\n        Sun, 19 Apr 2015 05:50:03 -0700 (PDT)"
      ],
      "x-received": [
        "by 10.42.151.4 with SMTP id c4mr13784232icw.77.1429447803846;\n        Sun, 19 Apr 2015 05:50:03 -0700 (PDT)"
      ],
      "return-path": [
        "<[email protected]>"
      ],
      "received-spf": [
        "softfail (google.com: domain of transitioning [email protected] does not designate 61.72.137.254 as permitted sender) client-ip=61.72.137.254;"
      ],
      "authentication-results": [
        "mx.google.com;\n       spf=softfail (google.com: domain of transitioning [email protected] does not designate 61.72.137.254 as permitted sender) [email protected];\n       dmarc=fail (p=NONE dis=NONE) header.from=gmail.com"
      ],
      "message-id": [
        "<[email protected]>"
      ],
      "date": [
        "Sun, 19 Apr 2015 05:24:33 -0700"
      ],
      "reply-to": [
        "\"HENRY\" <[email protected]>"
      ],
      "from": [
        "\"HENRY\" <[email protected]>"
      ],
      "user-agent": [
        "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.19) Gecko/20081209 Thunderbird/2.0.0.19"
      ],
      "mime-version": [
        "1.0"
      ],
      "to": [
        "<[email protected]>"
      ],
      "subject": [
        "Boost Social Presence with FB posts likes"
      ],
      "content-type": [
        "text/plain;\n    charset=\"us-ascii\""
      ],
      "content-transfer-encoding": [
        "7bit"
      ]
    },
    "mail_parts": [
      {
        "charset": "us-ascii",
        "content_id": null,
        "description": null,
        "disposition": null,
        "filename": null,
        "is_body": "text/plain",
        "sanitized_filename": null,
        "type": "text/plain",
        "decoded_body": "Hello,\nBoost your Facebook posts with a massive promotion \nand gain over 10.000 likes in total towards all your posts. \n\nWe can promote up to 20 posts links at a time. \n\nIncrease exposure with guaranteed promotion service.\n\nUse this coupon and get another 10% discount on your purchase\n\n==================\n10% Coupon = EB2CA\n==================\n\nOrder today, cheap and guaranteed service:\nhttp://www.socialservices.cn/detail.php?id=9\n\nRegards\nHENRY\n \n\n\n\n\n\n\nUnsubscribe option is available on the footer of our website\n\n\n\n",
        "base64_encoded_payload": null
      }
    ],
    "urls": [
      "http://www.socialservices.cn/detail.php?id=9"
    ],
    "btcs": [],
    "body_email_addresses": []
  }
]

Getting Help

Need more advanced help? Partner with us!

COPYRIGHT AND LICENSE

Copyright (C) 2021 CSIRT Gadgets

Free use of this software is granted under the terms of the Mozilla Public License (MPLv2).

Packages

No packages published

Languages

  • Python 100.0%