search

minvws / nl-kat-coordination

OpenKAT scans networks, finds vulnerabilities and creates accessible reports. It integrates the most widely used network tools and scanning software into a modular framework, accesses external databases such as shodan, and combines the information from all these sources into clear reports. It also includes lots of cat hair.
https://openkat.nl
European Union Public License 1.2
127 stars 58 forks source link

(Better) parsing of SPF records with Macros #982

Open underdarknl opened 1 year ago

underdarknl commented 1 year ago

Related to: https://github.com/minvws/nl-kat-coordination/issues/957

Is your feature request related to a problem? Please describe. SPF records can contain macros as defined here, which would result in hostname like objects that the spf parser needs to understand in relation to the sending IP to validate if a given IP can send emails for a given domain

The specs are here: https://datatracker.ietf.org/doc/html/rfc7208#section-7

What can you do with marcos? https://www.jamieweb.net/blog/using-spf-macros-to-solve-the-operational-challenges-of-spf/

Describe the solution you'd like We need to parse these strings and create a useful representation in the graph. However, as we currently don't have any information on where emails are being send from, we cannot yet validate those senders against these marco records. We can however see if they follow the rfc in terms of formatting.

praseodym commented 1 year ago

Maybe we should allow registering sender IP addresses in ConfigOOIs, so we can validate the SPF records based on that information?

underdarknl commented 1 year ago

Thats an excellent plan! Those Configs could even be auto-created from log-sources at some point.