phisher_phinder 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c8063750bef71fc06792e7c10440f99e979891612540b06abf4c66f2f368022d
-  data.tar.gz: a94cd0e2438359bc626609216a91633deb589121ac92a2567c2a90625c0e30ae
+  metadata.gz: cfb338171a5bca59a9682dfe8157475e7ac1a6283d9410a8367fdbe78fed0be1
+  data.tar.gz: db30dccf14c2184cd01f4cb27e4d0cc305fda0ddb0b58205a6e3a077893e1eae
 SHA512:
-  metadata.gz: 8cfc5618456ab2db9304232da36e6a5ae3e989edd1ba0993f5bd1f07feb27cfb4d1921052176630e002aa7847f0faee646f5f6690cdd650c34fd64ed843d0188
-  data.tar.gz: bb5ef0c6f6f601a8c7d42ec2a7a8c8de976ccc9a86e438c56cedf0e4853908edb9efb3dfecfae515d300e0f2671cf321c3eaebe0105dad874a52e9be2fff7050
+  metadata.gz: 831b8c8a93dc8cf8105724960be8052c1aa47a16fb57336a683e9780b07ce89a72e2e081344826b5462582c1270ca3fcd8a359d8b5111f97c4925c37cd5c085e
+  data.tar.gz: c25e50d534e780eaeef883a8e6c4311c4c51176589ac80959adb880c0b9f190b5350dd752497f3b19eb8ede04c95bd527201cf18f5f96222890ba08893495dd9

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    phisher_phinder (0.2.0)
+    phisher_phinder (0.3.0)
       dotenv (~> 2.7.5)
       maxmind-geoip2 (~> 0.4.0)
       nokogiri (~> 1.11.0)
@@ -61,10 +61,8 @@ GEM
       http (~> 4.3)
       maxmind-db (~> 1.1)
     method_source (1.0.0)
-    mini_portile2 (2.5.0)
     minitest (5.14.2)
-    nokogiri (1.11.0)
-      mini_portile2 (~> 2.5.0)
+    nokogiri (1.11.0-x86_64-linux)
       racc (~> 1.4)
     pry (0.13.1)
       coderay (~> 1.1)

data/README.md

@@ -97,14 +97,14 @@ The output of PhisherPhinder will produce something similar to the below:
 +-----------+---------------+------------------+
 
 
-+---------------+------------------------------+------------------------------+--------------------------+
-|                                                 Trace                                                  |
-+---------------+------------------------------+------------------------------+--------------------------+
-| Sender IP     | Sender Host                  | Advertised Sender            | Recipient                |
-+---------------+------------------------------+------------------------------+--------------------------+
-| 10.0.0.1      | host1.test.zzz               | dodgyname.test.zzz           | mx.google.com            |
-| 10.0.0.2      |                              | othersdodgyname.text.zzz     | host1.test.zzz           |
-+---------------+------------------------------+------------------------------+--------------------------+
++--------------+----------------------+-----------------------+--------------------------------+-----------------------+-----------------------+
+|                                                                    Trace                                                                     |
++--------------+----------------------+-----------------------+--------------------------------+-----------------------+-----------------------+
+| Sender IP    | IP Contacts          | Sender Host           | Host Contacts                  | Advertised Sender     | Recipient             |
++--------------+----------------------+-----------------------+--------------------------------+-----------------------+-----------------------+
+| 10.0.0.1     | abuse@hosttwo.zzz    | host.test.zzz         | support@test.zzz               | dodgy.test.zzz        | mx.google.com         |
+| 10.0.0.2     | abuse@hostone.zzz    |                       |                                | dodgy.othertest.zzz   | mail.hostthree.zzz    |
++--------------+----------------------+-----------------------+--------------------------------+-----------------------+-----------------------+
 
 ```
 
@@ -116,7 +116,8 @@ be trusted.
 
 The `Trace` secion shows a subset of the `Received` headers from the original (advertised, but not necessarily actual) 
 origin (the last entry in the table) to the last external server to process the email before the recipient's mail host 
-received the email.
+received the email. The contacts are abuse contacts for the sender IP and the sender host as found in the results of a 
+WHOIS lookup. If this could not be resolved, these fields will be blank.
 
 ## Dependencies
 1. [Maxmind GeoIP2 User Account](https://dev.maxmind.com/geoip/geoip2/web-services/) - pay as you go

data/lib/phisher_phinder.rb

@@ -1,12 +1,15 @@
 require "phisher_phinder/version"
 
 require 'maxmind/geoip2'
+require 'whois-parser'
 
 require_relative './phisher_phinder/command'
 require_relative './phisher_phinder/display'
 
 require_relative './phisher_phinder/body_hyperlink'
 require_relative './phisher_phinder/cached_geoip_client'
+require_relative './phisher_phinder/contact_finder'
+require_relative './phisher_phinder/whois_email_extractor'
 require_relative './phisher_phinder/null_lookup_client'
 require_relative './phisher_phinder/null_response'
 require_relative './phisher_phinder/geoip_ip_data'

data/lib/phisher_phinder/command.rb

@@ -13,7 +13,14 @@ module PhisherPhinder
                       end
       ip_factory = PhisherPhinder::ExtendedIpFactory.new(geoip_client: lookup_client)
       mail_parser = PhisherPhinder::MailParser::Parser.new(ip_factory, line_ending)
-      tracing_report = PhisherPhinder::TracingReport.new(mail_parser.parse(contents))
+      whois_client = Whois::Client.new
+      tracing_report = PhisherPhinder::TracingReport.new(
+        mail_parser.parse(contents),
+        PhisherPhinder::ContactFinder.new(
+          whois_client: whois_client,
+          extractor: PhisherPhinder::WhoisEmailExtractor.new
+        )
+      )
       tracing_report.report
     end
   end

data/lib/phisher_phinder/contact_finder.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module PhisherPhinder
+  class ContactFinder
+    def initialize(whois_client:, extractor:)
+      @whois_client = whois_client
+      @extractor = extractor
+    end
+
+    def contacts_for(address)
+      whois_content = nil
+      begin
+        whois_content = case address
+                        when ExtendedIp
+                          @whois_client.lookup(address.ip_address.to_s).content
+                        when String
+                          hostname_parts = address.split('.')
+                          whois_content = nil
+                          until whois_content do
+                            address = hostname_parts.join('.')
+                            whois_record = @whois_client.lookup(address)
+                            if whois_record.parser.available?
+                              hostname_parts = hostname_parts[1..-1]
+                            else
+                              whois_content = whois_record.content
+                            end
+                          end
+                          whois_content
+                        end
+      rescue Whois::ServerNotFound
+      rescue Whois::AttributeNotImplemented
+      end
+
+      whois_content ? @extractor.abuse_contact_emails(whois_content) : []
+    end
+  end
+end

data/lib/phisher_phinder/display.rb

@@ -32,14 +32,16 @@ module PhisherPhinder
       data = input_data[:tracing].map do |entry|
         [
           entry[:sender][:ip],
+          display_email_addresses(entry[:sender_contact_details][:ip][:email]),
           entry[:sender][:host],
+          display_email_addresses(entry[:sender_contact_details][:host][:email]),
           entry[:advertised_sender] || entry[:helo],
           entry[:recipient]
         ]
       end
 
       trace_table = Terminal::Table.new(
-        headings: ['Sender IP', 'Sender Host', 'Advertised Sender', 'Recipient'],
+        headings: ['Sender IP', 'IP Contacts', 'Sender Host', 'Host Contacts', 'Advertised Sender', 'Recipient'],
         title: 'Trace',
         rows: data
       )
@@ -60,5 +62,9 @@ module PhisherPhinder
         output << [description, input_data[:origin][type].join(', ')]
       end
     end
+
+    def display_email_addresses(email_addresses)
+      email_addresses.map { |address| address.gsub(/[,<>]/, '') }.join(', ')
+    end
   end
 end

data/lib/phisher_phinder/extended_ip.rb

@@ -10,7 +10,7 @@ module PhisherPhinder
     end
 
     def ==(other)
-      ip_address == other.ip_address && geoip_ip_data == other.geoip_ip_data
+      other.instance_of?(self.class) && ip_address == other.ip_address && geoip_ip_data == other.geoip_ip_data
     end
 
     def to_s

data/lib/phisher_phinder/tracing_report.rb

@@ -2,8 +2,9 @@
 
 module PhisherPhinder
   class TracingReport
-    def initialize(mail)
+    def initialize(mail, contact_finder)
       @mail = mail
+      @contact_finder = contact_finder
     end
 
     def report
@@ -34,7 +35,14 @@ module PhisherPhinder
 
     def extract_tracing_headers(received_headers, latest_spf_entry)
       start = received_headers[:received].find_index { |h| h[:sender][:ip] == ip_address(latest_spf_entry) }
-      received_headers[:received][start..-1]
+      received_headers[:received][start..-1].map do |h|
+        h.merge(
+          sender_contact_details: {
+            host: {email: @contact_finder.contacts_for(h[:sender][:host])},
+            ip: {email: @contact_finder.contacts_for(h[:sender][:ip])},
+          }
+        )
+      end
     end
 
     def extract_origin_headers(headers)

data/lib/phisher_phinder/version.rb

@@ -1,3 +1,3 @@
 module PhisherPhinder
-  VERSION = "0.2.0"
+  VERSION = "0.3.0"
 end

data/lib/phisher_phinder/whois_email_extractor.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module PhisherPhinder
+  class WhoisEmailExtractor
+    def abuse_contact_emails(contents)
+      if contents =~ /OrgAbuseEmail/
+        contents.scan(/OrgAbuseEmail:\s+(\S+)/).flatten.uniq
+      elsif contents =~ /Abuse contact for .+? is '([^']+)'/
+        [$1]
+      elsif contents =~ /Registrar Abuse Contact Email:\s+([\S]+)/
+        [$1]
+      elsif contents =~ /(abuse@[\S]+)/
+        [$1]
+      else
+        []
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: phisher_phinder
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - Rory McKinley
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2021-01-05 00:00:00.000000000 Z
+date: 2021-01-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dotenv
@@ -249,6 +249,7 @@ files:
 - lib/phisher_phinder/body_hyperlink.rb
 - lib/phisher_phinder/cached_geoip_client.rb
 - lib/phisher_phinder/command.rb
+- lib/phisher_phinder/contact_finder.rb
 - lib/phisher_phinder/display.rb
 - lib/phisher_phinder/expanded_data_processor.rb
 - lib/phisher_phinder/extended_ip.rb
@@ -276,6 +277,7 @@ files:
 - lib/phisher_phinder/simple_ip.rb
 - lib/phisher_phinder/tracing_report.rb
 - lib/phisher_phinder/version.rb
+- lib/phisher_phinder/whois_email_extractor.rb
 - phisher_phinder.gemspec
 homepage: https://capefox.co
 licenses: