ListSpamMessages
Jump to navigation
Jump to search
Description
This script extracts spam messages from a pcap file.
Code
#!/usr/bin/env python
from scapy.all import *
import sys
import re
i=0
packets = rdpcap(sys.argv[1])
for p in packets:
if p.haslayer(TCP) and (p.getlayer(TCP).dport == 25) and p.haslayer(Raw):
if p.getlayer(Raw).load.find("Subject:") != -1:
msg = "%s - > %s\n" % (p.getlayer(IP).src, p.getlayer(IP).dst)
msg += p.getlayer(Raw).load
f = open("messages/%d.msg" % i, 'w')
f.write(msg)
f.close()
i=i+1
Example
$ ./list-spam-messages.py eb30e132f507b6d3dd70629938ed5f57.pcap
This command will create a bunch of messages in the messages/ directory. Here is one of these conversations:
192.168.1.222 - > 204.232.236.130 From: Rolex.com <[email protected]> To: [email protected] Subject: [email protected] Rolex Today -33% Mime-Version: 1.0 Content-type: text/html; charset="utf-8" Content-Transfer-Encoding: 7bit <html bgcolor="#000000" style="background:#000000; color:#FFFFFF; font-size:12px; font-family:Lucida Sans Unicode, Lucida Grande, Sans-Serif;" xmlns="http://www.w3.org/1999/xhtml" xmlns:custom="urn:custom-functions"> <head> <style type="text/css"> body, html { background:#000000; color:#FFFFFF; font-size:12px; font-family:Lucida Sans Unicode, Lucida Grande, Sans-Serif; } h3 { font-family:Times New Roman; font-size:14px; color:#FFFFFF; } a { text-decoration:none; color:#FFFFFF; } </style> </head> <body bgcolor="#000000" style="background:#000000; color:#FFFFFF; font-size:12px; font-family:Lucida Sans Unicode, Lucida Grande, Sans-Serif;"> <table width="455" cellpadding="0" cellspacing="0" border="0" align="center"> <tr> <td> <table> <tr> <td height="50" width="455"/> </tr> <tr width="455"> <td> <a href="http://www.rolex.com.brushgovernment.com"><img style="border:none;" src="http://www.rolex.com/images/email/baselEmailLogo.jpg" width="455" height="59"/> </td> </tr>