search

markmckinnon / Autopsy-Plugins

Autopsy Python Plugins
332 stars 100 forks source link

Mac_mail plugin exception "Input string is not a valid email address: undisclosed-recipients" #31

Closed rsajpon closed 2 years ago

rsajpon commented 3 years ago

Environment

Autopsy 4.16.0 Sleuthkit 4.10.0 O/S: Debian 10

Problem description

Mac_mail plugin exits after exception regarding malformed email address, see attached log (have trunkated som parts). It looks like it processes a few items before it finds one which which causes the exception.

Source data is a user's emlx email from a MacBook Pro, OSX High Sierra.

Regards, Johan

autopsy.log.0.txt

rsajpon commented 3 years ago

Was able to identify the email in question. "Undisclosed-recipients" is found in the "To"-field, see below.

So it's a "BCC" style email. Suppose the actual email address parsing is not part of your code?! Would you be able to forward issue to the appropriate recipient (I'm new into Autopsy Github, but hope to be a contributor in the near future)?

6183
Return-Path: <support@accessdata.com>
Original-Recipient: rfc822;fake.name@disney.com
Received: from smtp-in23.fakenet.net (100.1.1.207) by ms14.fakenet.net (8.1.107)
        id 4E79353605F5B68C for fake.name@disney.com; Fri, 9 Mar 2012 22:11:50 +0100
Received: from mail-lpp01m010-f48.google.com (209.85.215.48) by smtp-in23.fakenet.net (8.1.122)
        id 4E89FF6B07645FDB for fake.name@disney.com; Fri, 9 Mar 2012 22:11:50 +0100
Received: by lagu2 with SMTP id u2so2142280lag.7
        for <fake.name@disney.com>; Fri, 09 Mar 2012 13:11:49 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type
         :x-gm-message-state;
        bh=LVhG4vLn3YWF4a3PY2wU7fUDu/S3fzmfp/P1RRqNYwU=;
        b=G7U5CSeI9JMVtlunyPCAcr/UICt70c19OUVvoNPTCPmwbt6AoS2a5vCFbqjJIixsBp
         kZTF+QiYs7webk1tWYITnTaAFRE4wDHzi1rOiXVoU2IQKvYy4eXY5BA5dj3xWjUs2miu
         HQnV/R7wqvnpRQnPrfRWCM2zly7VpZAlR0/Zn/EEqp0g7sS+OUjzI5eFwAyeh39EYG25
         cFwWwstRKK7R4mmx1Ewfm9MZIzCwc3ipbEQ42yoHy4NIjn6a6mnB6ZV+wOX4Lfpaau3M
         dona159bYrrkjTO9yf+VSv6c8L6NJkqjTTnXUdkI9Rxb3j8QZm2n/Dgl6DYKqrR90WDF
         5yvw==
MIME-Version: 1.0
Received: by 10.1.1.2 with SMTP id su7mr2764215lab.5.1331327509096; Fri,
 09 Mar 2012 13:11:49 -0800 (PST)
Received: by 10.1.1.1 with HTTP; Fri, 9 Mar 2012 13:11:49 -0800 (PST)
Date: Fri, 9 Mar 2012 13:11:49 -0800
Message-ID: <CAMqqsmY=nDhyUrNsj=p0Y_ckut1h=MCbT3ifX_Y9MVO4-qSpVg@mail.gmail.com>
Subject: AccessData Forums Account Activation
From: Accessdata Support <support@accessdata.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=e89a8f2348a742695d04bad5d75d
Bcc: fake.name@disney.com
X-Gm-Message-State: ALoCoQketc6rE9nI3YxygoP3HVutcWR07H+XbwdcbYcpY7Iaf6FsVyIImlBmkltl/l8kDSkW13Q6

--e89a8f2348a742695d04bad5d75d
Content-Type: text/plain; charset=UTF-8

Thank you for submitting your registration for access to the AccessData
Discussion Forums.  We want you to participate with the discussion
community.

[...]
markmckinnon commented 3 years ago

Thanks for the data. I will take a look at this and see what the problem is and see what solution I can come up with.

markmckinnon commented 3 years ago

Having an issue recreating this with just this snippet of an email. Would it be possible to get the data source to debug this with. I would need the emlx files as well as the Envelope Index* for the user you are running this against.