search

mgeeky / decode-spam-headers

A script that helps you understand why your E-Mail ended up in Spam
MIT License
563 stars 80 forks source link

Date in `Received` identified as IP address #19

Open maxxer opened 10 months ago

maxxer commented 10 months ago 
Received: from EUR04-VI1-obe.outbound.protection.outlook.com
 (mail-vi1eur04on062e.outbound.protection.outlook.com.
 [2a01:111:f400:fe0e::62e]) by mx.google.com with ESMTPS id
 qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20
 for <name.surname@domain.com> (version=TLS1_2
 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2023 06:48:20
 -0800 (PST)

Result:

ANALYSIS:

(01) Header: Received  contained an IP address:
         Value    :    2023.12.14.06.48.20

I don't know if the following stack traces can be relevant:


[DEBUG] Parsed Received header:
{
    "host": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "host2": "[fe80::6f8b:f9b3:eaa:ea3e]",
    "ip": "",
    "timestamp": "2023-12-14 14:48:16+00:00",
    "ver": "15.20.7091.028",
    "with": "mapi",
    "extra": [
        "[fe80::6f8b:f9b3:eaa:ea3e%4]"
    ],
    "num": 1,
    "parsed": {
        "from": "DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e])",
        "by": "DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e%4])",
        "with": "mapi",
        "id": "15.20.7091.028"
    },
    "_raw": "from DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e]) by DBBPR03MB6762.eurprd03.prod.outlook.com ([fe80::6f8b:f9b3:eaa:ea3e%4]) with mapi id 15.20.7091.028; Thu, 14 Dec 2023 14:48:16 +0000",
    "by": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "id": "15.20.7091.028"
}
[DEBUG] gethostbyname("dbbpr03mb6762.eurprd03.prod.outlook.com")...
[DEBUG] Returning cached gethostbyname entry for: "outlook.com"
[DEBUG] Parsed Received header:
{
    "host": "DBBPR03MB6762.eurprd03.prod.outlook.com",
    "host2": "2603:10a6:10:20b::21",
    "ip": "",
    "timestamp": "2023-12-14 14:48:16+00:00",
    "ver": "15.20.7091.28",
    "with": "Microsoft SMTP Server",
    "extra": [
        "2603:10a6:20b:1c2::6",
        "version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
    ],
    "num": 2,
    "parsed": {
        "from": "DBBPR03MB6762.eurprd03.prod.outlook.com (2603:10a6:10:20b::21)",
        "by": "AM7PR03MB6531.eurprd03.prod.outlook.com (2603:10a6:20b:1c2::6)",
        "with": "Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)",
        "id": "15.20.7091.28"
    },
    "_raw": "from DBBPR03MB6762.eurprd03.prod.outlook.com (2603:10a6:10:20b::21) by AM7PR03MB6531.eurprd03.prod.outlook.com (2603:10a6:20b:1c2::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7091.28; Thu, 14 Dec 2023 14:48:16 +0000",
    "by": "AM7PR03MB6531.eurprd03.prod.outlook.com",
    "id": "15.20.7091.28"
}
[DEBUG] gethostbyname("dbbpr03mb6762.eurprd03.prod.outlook.com")...
[DEBUG] Returning cached gethostbyname entry for: "outlook.com"
[DEBUG] Parsed Received header:
{
    "host": "EUR04-VI1-obe.outbound.protection.outlook.com",
    "host2": "mail-vi1eur04on062e.outbound.protection.outlook.com",
    "ip": "2a01:111:f400:fe0e::62e",
    "timestamp": "2023-12-14 14:48:20+00:00",
    "ver": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20",
    "with": "ESMTPS",
    "extra": [
        "version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128"
    ],
    "num": 3,
    "parsed": {
        "from": "EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on062e.outbound.protection.outlook.com. [2a01:111:f400:fe0e::62e])",
        "by": "mx.google.com",
        "with": "ESMTPS",
        "id": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20",
        "for": "<name.surname@domain.com> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128)"
    },
    "_raw": "from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on062e.outbound.protection.outlook.com. [2a01:111:f400:fe0e::62e]) by mx.google.com with ESMTPS id qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20 for <name.surname@domain.com> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 14 Dec 2023 06:48:20 -0800 (PST)",
    "by": "mx.google.com",
    "id": "qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20"
}
[ERROR] Test 1: "Received - Mail Servers Flow" failed: Invalid version: 'qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20' . Use --debug to show entire stack trace.
Traceback (most recent call last):
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 6925, in <module>
    main(sys.argv)
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 6905, in main
    out = an.parse(text)
          ^^^^^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 2285, in parse
    self.results[testName] = testFunc()
                             ^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 5209, in testReceived
    vers = SMTPHeadersAnalysis.parseExchangeVersion(obj['ver'])
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/lorenzomilesi/work/decode-spam-headers/decode-spam-headers.py", line 2107, in parseExchangeVersion
    lookupparsed = packaging.version.parse(lookup)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/homebrew/anaconda3/lib/python3.11/site-packages/packaging/version.py", line 52, in parse
    return Version(version)
           ^^^^^^^^^^^^^^^^
  File "/opt/homebrew/anaconda3/lib/python3.11/site-packages/packaging/version.py", line 198, in __init__
    raise InvalidVersion(f"Invalid version: '{version}'")
packaging.version.InvalidVersion: Invalid version: 'qd22-20020ad44816000000b0067eb7b6cad0si13196393qvb.400.2023.12.14.06.48.20'