Open jdghub opened 1 year ago
Having this same problem.
These are postfix queueID-s, which are mis-interpreted as version id of a Microsoft product.
I am not experienced in Python, that makes me harder to find the point, where i could add an exception for the postfix line.
This is in one single line of a postfix Received line,
(Postfix) with ESMTPSA id 0CDFFC0EC0
The Microsoft servers have these lines, and the difference is obvious:
with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.21 via Frontend Transport
with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6977.19 via Frontend Transport
with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6954.28
with HTTPS
I was able to hard code a condition, to match Postfix in the Received "by" part, and remove the Queue-ID from the version checks, just above the part that copies 'id'
to obj['ver']
if 'by' in obj['parsed'].keys():
self.logger.dbg('Parsed Received-By: ' + str(obj['parsed']['by']))
if "Postfix" in str(obj['parsed']['by']):
self.logger.info(f'Found Postfix in received by...')
del parsed['id']
This is by no means a "solution", because it would rather need a parser that can identify postfix/sendmail/exim/qmail at least, but my short research showed,thats not an easy task, sendmail often placing its version only in the parentheses in 'by'
, exim is using the 'with'
part.
@mgeeky please note, this issues is similar to #1
I temporarily fixed this by commenting out line 2104
:
@@ -2104,7 +2104,7 @@ class SMTPHeadersAnalysis:
if ver.version == lookup:
return ver
- lookupparsed = packaging.version.parse(lookup)
+# lookupparsed = packaging.version.parse(lookup)
# Go with version-wise comparison to fuzzily find proper version name
sortedversions = sorted(SMTPHeadersAnalysis.Exchange_Versions)
Is this repo alive? There is some PR pending etc. :disappointed:
Proposed patch to skip id's that do not resemble an Exchange version string:
After working through a long series of headers in an email manually today I came across this project, and ran it on them (attached) to see what it would find. However I ran into an error and a couple issues:
Sample-Headers.txt
I don't know if anything was excluded from the output report due to this.
Not fatal, but it identified as domains items in headers that aren't:
Not a big deal, but it added an unbalanced
</font>
tag for other found domains:But even with these issues the analysis of the spam headers completed and was useful. Thanks.