Ho realizzato questo script per estrarre dei dati dal corpo di una email, l'ho testato con una email di un truffatore e funzionava, adesso per cuoriosità l'ho provato con una email normale ma non estare l'ip.
questo è il testo del sorgente di una email
Python:
def ipinfo(): #Verifico IP
import webbrowser
new = 2
url = ("https://ipinfo.io/")
term = input("Inserisci Indirizzo IP: ")
webbrowser.open(url+term,new=new)
def IDFalso(): #Genera una falsa identità
print("\n","-----x-----x-----x-----x-----")
print(verde + "Email: ",fake.email())
print("Nome E Cognome: ",fake.name())
print("Indirizzo: ",fake.address())
print("Stato: Italia" + reset)
print("-----x-----x-----x-----x-----")
def mailinfo():
eml = input("Inserisci il percorso del file: ")
f = open(eml, "r")
msg = email.message_from_file(f)
f.close()
headers = email.message_from_string(msg.as_string())
infomail={
"message-id":"",
"spf-record":False,
"dkim-record":False,
"dmarc-record":False,
"spoofed":False,
"ip-address":"",
"sender-client":"",
"spoofed-mail":"",
"dt":"",
"content-type":"",
"subject":""
}
for h in headers.items():
#ID Messaggio
if h[0].lower()=="message-id":
infomail["message-id"]=h[1]
#Server da dove è stata inviata l'email
if h[0].lower()=="received":
infomail["sender-client"]=h[1]
#Autenticazione rilevata dal server di posta
if h[0].lower()=="authentication-results":
if(re.search("spf=pass",h[1])):
infomail["spf-record"]=True;
if(re.search("dkim=pass",h[1])):
infomail["dkim-record"]=True
if(re.search("dmarc=pass",h[1])):
infomail["dmarc-record"]=True
if(re.search("does not designate",h[1])):
infomail["spoofed"]=True
if(re.search(r"\[(\d{1,3}\.){3}\d{1,3}\]", h[1])):
ip=re.search(r"\[(\d{1,3}\.){3}\d{1,3}\]", h[1])
infomail["ip-address"]=str(ip.group())
if h[0].lower()=="reply-to":
infomail["spoofed-mail"]=h[1]
if h[0].lower()=="date":
infomail["dt"]=h[1]
if h[0].lower()=="content-type":
infomail["content-type"]=h[1]
if h[0].lower()=="subject":
infomail["subject"]=h[1]
print("\n=========================Risultato=========================\n")
print("[+] ID Messaggio: "+infomail["message-id"])
if(infomail["spf-record"]):
print("[+] " + verde + "SPF Records: PASS"+ reset)
else:
print("[+] " + rosso + "SPF Records: FAIL" + reset)
if(infomail["dkim-record"]):
print("[+] " + verde + "DKIM: PASS" + reset)
else:
print("[+] " + rosso + "DKIM: FAIL" + reset)
if(infomail["dmarc-record"]):
print("[+] " + verde + "DMARC: PASS" + reset)
else:
print("[+] " + rosso + "DMARC: FAIL" + reset)
if(infomail["spoofed"] and (not infomail["spf-record"]) and (not infomail["dkim-record"]) and (not infomail["dmarc-record"])):
print("[+] " + rosso + "L'E-mail è contraffatta" + reset)
print("[+] " + giallo + "E-mail: " + infomail["spoofed-mail"] + reset)
print("[+] " + giallo + "Indirizzo IP: " + infomail["ip-address"] + reset)
else:
print("[+] " + verde + "L'E-mail è autentica" + reset)
print("[+] " + giallo + "IP-Address: " + infomail["ip-address"] + reset)
print("[+] Provider: " + infomail["sender-client"])
print("[+] Tipo di contenuto: " + infomail["content-type"])
print("[+] Data e Ora: " + infomail["dt"])
print("[+] Oggetto: " + infomail["subject"]+"\n\n")
Codice:
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
X-Account-Key: account1
X-UIDL: GmailId18b94c355a4f4b52
Delivered-To: [email protected]
Received: by 2002:a05:7010:aa7:b0:38d:aa86:9d82 with SMTP id fm39csp974549mdb;
Fri, 3 Nov 2023 03:40:36 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IG22BKBRBzL9UpN6pGg4fHgd3gawnsRdItBLaCNHGTH321Rb7Ypr8PHKXqmlEyNC1V7tkeMfpzOGccYcQ/ojA==
X-Received: by 2002:a05:6830:11d5:b0:6c4:d19b:dabd with SMTP id v21-20020a05683011d500b006c4d19bdabdmr5627099otq.1.1699008036362;
Fri, 03 Nov 2023 03:40:36 -0700 (PDT)
Received: from 127.0.0.1
by atlas-production.v2-mail-prod1-ir2.omega.yahoo.com pod-id atlas--production-ir2-7595f94898-ff8cf.ir2.yahoo.com with HTTP; Fri, 3 Nov 2023 10:38:31 +0000
Return-Path: <[email protected]>
X-Originating-Ip: [40.107.220.89]
Received-SPF: pass (domain of o-i.com designates 40.107.220.89 as permitted sender)
Authentication-Results: atlas-production.v2-mail-prod1-ir2.omega.yahoo.com;
dkim=pass [email protected] header.s=selector1;
spf=pass smtp.mailfrom=o-i.com;
dmarc=pass(p=NONE) header.from=o-i.com;
X-Apparently-To: [email protected]; Fri, 3 Nov 2023 10:38:31 +0000
X-YMailISG: uRdpb7YWLDtieeBSMISfsNjH.CfnO1SoJbCuxi.K2CMFWbfv
M7QQSkgBRW
xXBrXcjJZBbHM8w6tEo1.RAc_OfEUNUl7WyggcDByUZLcwnWsrMH_nYANwNb
0vJSu0FcUcitwclV7ANRv7zwao3BaxgzAUeYi_bog12mMfBANobU_NVljJVk
8urxyePr
Received: from 40.107.220.89 (EHLO NAM11-CO1-obe.outbound.protection.outlook.com)
by 10.200.78.184 with SMTPs
(version=TLS1_2 cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256);
Fri, 03 Nov 2023 10:38:31 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=gtRbDFnUHMa6tky94qSQKtMlYsqkZ9a0s6sKT2BAUoa2jOOs+GnRvKyjUzOj+T+Gy20dQcxKrynzjX+t0Ubzd86/q2YJAG0MoHn56tCnIFQweT2wxm5Ivogm6SQqoWUg6socdvr4zoUkFdk3o+xpdTt0qkh/AifoxzfK/lEBXTtZbJEIAonzGH9c0YzNX7YzrsL+XvUR3NB1UVyAINfP7PlbLamaZVjcD0Z17UTWDJZ1g8Ppj5O8jW6yT4JcetCrbmB8cH8VGfIwvSlDLTk/yBe/S7h/x06Wxm9FE66Gfflfufsh+H0Asbohc7ofGIKTOaKA5ROtan99SFT2hO9X3w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=ImtBHVwguredDHGxFJh3Py79XX5Reo1MYdGBtQGmfrg=;
b=cbAFNuUBsAzW76jRV5LFaFUNYuTbvFgEuFHCEFeoSjs2iBAxoCaSJrqcGll2MQIHjDKJXPW+JO072Ak5mIH0TN49FI+HgXUWXI7KMGZDs8zEMo/EZI3IikGojzzJNbYx5B1XVZLSwss8S2lT0kls619fMBRXu1HMn7NLWwcxzYmkFH6UZjXNL2dQKc0+23VHI7i4VZxWAIwq/iJRtXahxjX453dEpIENLM6mPDgF9iqByQ/lshoiGRE2P9w4JuI89eHj5F/mE1sihAxbWlrGUe7gGDzWh5qt2A0Esvhq3QZloW2ucGqHnl/4xCqsdmlrQtTAVHU+nwVk/cfgRc+yCQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=o-i.com; dmarc=pass action=none header.from=o-i.com; dkim=pass
header.d=o-i.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=o-i.com; s=selector1;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=ImtBHVwguredDHGxFJh3Py79XX5Reo1MYdGBtQGmfrg=;
b=EKJYMPpnWpV9Lkt9H9Y36dnzvuZQm+reE/3XnCrnOdVG4LggBBU5X97yI6APR6QQZKACApIZnFfW0B35Sfqta0hPYFuR+GCgsiyKjSFrt1Pm5E75H4XWr6t04UWRWi0AFlyTmFrtNgJYtWzK1Gq9uPKDIFWjFRpJ+XxgAQZh+uqiOyj+DJ5lfvk2Yigdxt7u9PazlHJuYdPai+J9JoxZ5YJpXL91wfXJmasI3jQ1wQ7RhmIdCdCsrJ7t88xRtWmMPOM4Hmba4qS9BPgp+FQS5wS6HEFTC0q9hSMJrup6OAPAai9K4SVDzoJM8OuXgvVIqvlROWfBfkgnc4zyUCZRog==
Received: from CH0PR07MB9871.namprd07.prod.outlook.com (2603:10b6:610:193::8)
by SJ0PR07MB7806.namprd07.prod.outlook.com (2603:10b6:a03:278::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.21; Fri, 3 Nov
2023 10:38:25 +0000
Received: from CH0PR07MB9871.namprd07.prod.outlook.com
([fe80::7a52:37b4:526a:d0bb]) by CH0PR07MB9871.namprd07.prod.outlook.com
([fe80::7a52:37b4:526a:d0bb%4]) with mapi id 15.20.6954.021; Fri, 3 Nov 2023
10:38:25 +0000
From: Cabina MSA.SD <[email protected]>
To: "Mr. Camarium" <[email protected]>
Subject: prova
Thread-Topic: prova
Thread-Index: AQHaDkHPsq+6RyxsVkeOSgPJyBsavg==
Date: Fri, 3 Nov 2023 10:38:24 +0000
Message-ID:
<CH0PR07MB9871D124A45EB0906033971BDEA5A@CH0PR07MB9871.namprd07.prod.outlook.com>
Accept-Language: it-IT, en-US
Content-Language: it-IT
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH0PR07MB9871:EE_|SJ0PR07MB7806:EE_
x-ms-office365-filtering-correlation-id: 094b2b6a-0eba-42e3-7091-08dbdc590203
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info:
Y5v2e7y/w0nNOK2Y6R+ubCzftAkqiqlwFFzhyql2oDtD0UZm8KuHrrrIOOyFjiNAxSFZ99tcQscVlhJHx0VakwaMGNpd6j0dB5KjQaL89Te9DDOtlJ/IYwoRLpJEUGYHrP7cKyt/WKRBfttEEBjM45+MF+mxE3/J8H4UG+maRqMt+JLFvxM1zfLhTWLOM5KpRFX00VaTsKdARrThnjMAGsiFrxfJmeBnGAiSYTeIa+T3eFZwpxp8rKdVh9tBC6aPFHdNgUUd2TXCQF8AoNlJqeK08sItAI+iuucNAopu2/ENPFFbeG7UEOy4pVe/uFyOtV1xhyMjKAM/B8X1GrDBuJRE8rGzywdmoXoC7rcc4I1G+U1YnV+Swjt4rUztzoGniAVQB7+oSRl66r9sVfcxmykdUMk2l63g3M1c806+Zcg6NOR5+dZ0qKQHnPTWXGVxNy22SX7l9tMK7V0fqDEP2HFmbnvANfdMp3KzadwqsLrBMy6JwWMaMMZIrDCNoug0Oxk27tZj/cmwIAtNb8RRlcDyWDanpIILMsPoAitCi858HVrm3pKjM0kqZuTTcx/rfTqlSFRvwqNqNO2l8sv1iN6dyHL5Rdv5pmvoAArl96Hpb3ak4e2+vrV766gDSPU/z/dwO9rrThciNFEjy3paf8OBcuccuYweImNBcoOSDiI=
x-forefront-antispam-report:
CIP:255.255.255.255;CTRY:;LANG:it;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH0PR07MB9871.namprd07.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(136003)(39860400002)(396003)(346002)(376002)(230922051799003)(451199024)(64100799003)(186009)(1800799009)(6506007)(478600001)(66556008)(66476007)(66446008)(64756008)(7696005)(71200400001)(3480700007)(66946007)(26005)(91956017)(6916009)(76116006)(316002)(9686003)(122000001)(38070700009)(41300700001)(86362001)(558084003)(5660300002)(52536014)(8936002)(8676002)(7116003)(2906002)(38100700002)(19627405001)(166002)(33656002)(55016003)(220243001)(204593002);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0:
=?iso-8859-1?Q?SZtepC7hrz/v12CDdxHJ0UJ+WWvn7YNY2p9VS5FT2C3bv3+kjFcsmdhJO6?=
=?iso-8859-1?Q?5P7OE1vZ0sOXnLwKb6dwxTjiXPlFjQFpNbNbfk1wwrrpnJrpQ/KTVozhDR?=
=?iso-8859-1?Q?WORcsP9IfCn7kphC37I4qO0TuKWKEtT+xTu5slKLMtMr6BJUJW6bEM7k0k?=
=?iso-8859-1?Q?JVMbFgaOhux4whT2zTClfAhP3UQA166myTg+feqkXLZ7AAUsh5HsK5NCN+?=
=?iso-8859-1?Q?1dwdVRdlNleFLTun/OjntPQv64hurkOgxnlKDglFEe2h/8nyjf2OBSByxY?=
=?iso-8859-1?Q?POxN9rz3loP7fxem2NIxA/p8W4Udv7J6RwCculmRO/nu98Z6KvXzov4172?=
=?iso-8859-1?Q?yPRRQXPaB2AnyfPZdZ0NL9Eb/gkSPwZc7a8+tjRhADv31yXLze/RCdCkm1?=
=?iso-8859-1?Q?PiifeCmcQzReGQQAqn/e7NvBcxOao2E3kg0GKY9Y4qoWyaiw+wAMTV8QfK?=
=?iso-8859-1?Q?t8BXALzwQNv5Z9lLb3JD1JKlSXyZd1+z6u9nuIxryXsKf9ZVQENRBvCoTc?=
=?iso-8859-1?Q?bRz4WX0DZlorOTjKAJFg95l0/04+8+tm23M088Pq0wBAo+vBe2lu7fBBaI?=
=?iso-8859-1?Q?neZ0QD6a/2aBmEe7KEm1cWDOl8QusQXUh7xq2KYfU8wjseEVrPvP0xFzaD?=
=?iso-8859-1?Q?a6KLuDkjOeDWqtLfvHOgvEC5Saqe1Ij3iJ7yJlNnc2nw2FyHvacWmAvsjl?=
=?iso-8859-1?Q?mcZGybPQCUhfIjbt2Y5ejHTIZZfTHvLaHrbMFei778tC4sB4hyO6qtl+OQ?=
=?iso-8859-1?Q?XzT4z7uhTuhQh+9MdVCF4IxHIfsrP6sFra8mPc6lpqm2YB6VVRrMsx1AoG?=
=?iso-8859-1?Q?q9WfeeaAYT20Jty9a+eUjeOhteIjVYUlumyYIuLJCLUOKPXVWhC4cu96RM?=
=?iso-8859-1?Q?wRMKhw84FLAu/+HjBwCM+lJFgcZtoC2GEL+Jhb1JfZotkC4Syvg0Xfhh7D?=
=?iso-8859-1?Q?BFDbQUGSvK6Xer/qgCvXyKTU1UV0A5U09ssQVLaBMeC5fOgvU/Q7MUR2tK?=
=?iso-8859-1?Q?uOO+sQX/5B0XM28AVsfCyfCP6fPnoi+nfI57+FWRnGpGbzjmsopGDmRROB?=
=?iso-8859-1?Q?xXdcegXNszx3SJMuXXh8oLK4l0KEbfDiH7AMCbbhtWL3Rfz5aZy0iZqU3g?=
=?iso-8859-1?Q?I8hfjUW/kMPmJ3LYMpEkNEmYlIaz106NPjX5P/658PWCHEWk9S/Jzw88LS?=
=?iso-8859-1?Q?0jEGZAtn8JtaLmlMyQF0QuzFx2nn4nKBKIHaut4Dgb8adIVgZc6xSRWPYs?=
=?iso-8859-1?Q?TIXcktDRJNUkgg01qz5P4Qujb1g/AZu7H4vlHXwtIGxCiFijYcKYHwHJJ4?=
=?iso-8859-1?Q?Dxuey49bmRHta+MvlJCyvHkzOOMlXsSAvjfa6Lru7LBai+q6/4SBKcfQbd?=
=?iso-8859-1?Q?UE9XGZbGBvHu4SET0P/MQSWfAXtZSRl4pEm1JV1C1NCults+HTEAQEEQzt?=
=?iso-8859-1?Q?zO26XDk4UAtYBouLaCIppk2ama1bGo4RP4wQ9WXJXSpD6iGKsXCqN/SOZX?=
=?iso-8859-1?Q?dIXm5fZPA9FEavzXZj5w34VW3fh8fDiOAM3cQBITUZdrruZIXBryb1Qnxy?=
=?iso-8859-1?Q?jqth4Q9J1Q5/5eKU//H8DgAycBLsdghxU690azcO/TZN14xuTcFo/xDJus?=
=?iso-8859-1?Q?bFTtW+EcRSeaaCi7hIDSnayCYLSKW+kc31?=
Content-Type: multipart/alternative;
boundary="_000_CH0PR07MB9871D124A45EB0906033971BDEA5ACH0PR07MB9871namp_"
MIME-Version: 1.0
X-OriginatorOrg: o-i.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH0PR07MB9871.namprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 094b2b6a-0eba-42e3-7091-08dbdc590203
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Nov 2023 10:38:24.6471
(UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: af0ee343-0c80-42be-aeac-d688e63ecf48
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nRGCK7Q3loLOVw8nco/wl851gj+7IiA/XEkB/v1cbYrvlLzxYgi6SkXDKDEeacZe7cm2gku30Jn5CfmXcFttIg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR07MB7806
Content-Length: 5031
--_000_CH0PR07MB9871D124A45EB0906033971BDEA5ACH0PR07MB9871namp_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_000_CH0PR07MB9871D124A45EB0906033971BDEA5ACH0PR07MB9871namp_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
--_000_CH0PR07MB9871D124A45EB0906033971BDEA5ACH0PR07MB9871namp_--