techsneeze / dmarcts-report-parser

A Perl based tool to parse DMARC reports from an IMAP mailbox or from the filesystem, and insert the information into a database. ( Formerly known as imap-dmarcts )
http://www.techsneeze.com/how-parse-dmarc-reports-imap/
GNU General Public License v3.0
224 stars 65 forks source link

fixup Trustwave SEG reports #54

Closed Mrten closed 6 years ago

Mrten commented 6 years ago

Sometimes the parser thinks a message does not have a report:

----------------------------------------------------------------
Processing IMAP message with UID #17
----------------------------------------------------------------
Subject: Report Domain: afvalonline.nl Submitter: zeeland.nl Report-ID: <2018.3.21.3204>
MimeType: multipart/mixed
This is a multipart attachment
Skipped an unknown attachment
Skipped an unknown attachment
Could not find an embedded ZIP! The IMAP message with UID #17 does not seem to contain a valid DMARC report. Skipped.
Moving (copy and delete) processed IMAP message file to IMAP folder: Inbox.processed

This is because of a formatting error in the mail:

----=e6b1e617-42ae-4760-ac67-8328714cd151
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

This is a DMARC report generated by Trustwave SEG.

----=e6b1e617-42ae-4760-ac67-8328714cd151
ContentType: application/gzip;
    name="zeeland.nl!afvalonline.nl!1521020356!1521631697!3204.xml.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
    filename="zeeland.nl!afvalonline.nl!1521020356!1521631697!3204.xml.gz"

ContentType must be Content-Type...

I humby suggest the following patch:

root@mx-2:/home/dmarcreport# diff -u dmarcts-report-parser dmarcts-report-parser.new
--- dmarcts-report-parser   2018-05-30 23:40:54.348653837 +0200
+++ dmarcts-report-parser.new   2018-05-30 23:39:26.860653839 +0200
@@ -436,6 +436,11 @@
 # itself is not checked to be a valid DMARC report.
 sub getXMLFromMessage {
    my $message = $_[0];
+
+        # fixup type in trustwave SEG mails
+        $message =~ s/ContentType:/Content-Type:/;

    my $parser = new MIME::Parser;
    $parser->output_dir("/tmp");
@@ -499,7 +504,7 @@
            } else {
                # Skip the attachment otherwise.
                if ($debug) {
-                   print "Skipped an unknown attachment \n";
+                   print "Skipped an unknown attachment (".lc $part->mime_type.")\n";
                }
                next; # of parts
            }
techsneeze commented 6 years ago

Thanks for the suggestion. I'm happy to take in Pull requests as well! I've added the suggestions though, and committed them.

Mrten commented 6 years ago

thanks!