Пример #1
0
        public List <CheckResult> CheckSender(string senderName, string senderEmail, string senderEnvelope)
        {
            var results      = new List <CheckResult>();
            var checkMethods = new CheckMethods();

            string senderDomainEnvelope = checkMethods.GetDomainFromMail(senderEnvelope);
            string senderDomainHeader   = checkMethods.GetDomainFromMail(senderEmail);
            string senderDomain         = checkMethods.GetDomainFromMail(senderName);

            // check if senderEmail has different domain than senderEnvelope
            if ((senderEnvelope != null) && (senderDomainEnvelope != senderDomainHeader))
            {
                results.Add(new CheckResult("Meta-SenderDomainMismatch", "mismatch between sender domains of envelope and header", senderDomainEnvelope + "/" + senderDomainHeader, -40));
            }

            // check if senderName contains email address with different domain than senderEnvelope
            if (senderName.Contains("@") && (senderDomainEnvelope != senderDomain))
            {
                results.Add(new CheckResult("Meta-SenderNameDomainMismatch", "senderName contains email address with different domain than senderEnvelope", senderDomainEnvelope + "/" + senderDomain, -50));
            }

            if (!string.IsNullOrEmpty(senderEnvelope) && (senderEmail != senderEnvelope))
            {
                results.Add(new CheckResult("Meta-SenderMismatch", "Der Absender ist evtl. gefälscht (Adresse Umschlag vs. Mail)", senderEmail + "/" + senderEnvelope, -50));
            }

            // check if senderEnvelope has badTLD
            results.Add(checkMethods.CheckBadTld("SenderEnvelope-badTLD", senderDomainEnvelope));
            results.Add(checkMethods.CheckBadTld("SenderHeader-badTLD", senderEmail));

            int    senderNameAtPos      = senderName.IndexOf("@");
            string senderNameDomainPart = senderName.Substring(senderNameAtPos + 1);

            if ((senderNameAtPos != -1) && (!string.IsNullOrEmpty(senderEmail)))
            {
                // senderName contains mail address
                results.Add(new CheckResult("Meta-SenderMismatch", "Der Absender ist evtl. gefälscht (Name soll Mailadresse suggerieren)", senderEmail + "/" + senderEnvelope, -10));

                if ((senderEmail.IndexOf(senderNameDomainPart, StringComparison.CurrentCultureIgnoreCase) == -1) && string.IsNullOrEmpty(senderEmail))
                {
                    // senderName contains domain different to the one in senderEmailAddress
                    results.Add(new CheckResult("Meta-SenderPhishy", "Die angezeigte Mailadresse entspricht vermutlich nicht dem tatsächlichen Absender / senderName contains email address with different domain than sender", senderEmail + " / " + senderNameDomainPart, -40));
                }
            }

            return(results);
        }
Пример #2
0
        public override List <CheckResult> Analyze(object mailBody)
        {
            var results      = new List <CheckResult>();
            var checkMethods = new CheckMethods();

            var links = LinksFind(mailBody as string);
            Action <CheckResult> add = x => { if (x != null)
                                              {
                                                  results.Add(x);
                                              }
            };
            Action <List <CheckResult> > addRange = x =>
            {
                if (x != null)
                {
                    x.RemoveAll(y => y == null);
                    results.AddRange(x);
                }
            };

            if (links.Any())
            {
                foreach (string link in links)
                {
                    addRange(checkMethods.CheckLinkShorteners("Link-Shortener", link));

                    add(checkMethods.CheckBadTld("Link-badTLD", link));

                    // check for keywords in links
                    addRange(checkMethods.CheckKeywords("Link-Keyword", link));
                }

                HasLink = true;
                score   = results.Sum(x => x.score);
            }
            return(results);
        }
        public override List <CheckResult> Analyze(object data)
        {
            var attachments = data as Attachments;
            var results     = new List <CheckResult>();

            CheckMethods checkMethods = new CheckMethods();

            Action <List <CheckResult> > addRange = x =>
            {
                if (x != null)
                {
                    x.RemoveAll(y => y == null);
                    results.AddRange(x);
                }
            };

            if (attachments == null)
            {
                return(null);
            }

            foreach (Attachment attachment in attachments)
            {
                addRange(checkMethods.CheckDoubleExtensions("Attachment-DoubleExtensions", attachment.FileName));

                addRange(checkMethods.CheckBadExtensions("Attachment-BadExtension", attachment.FileName));

                addRange(checkMethods.CheckKeywords("Attachment-Keyword", attachment.FileName));

                addRange(checkMethods.CheckBadHashes("Attachment-FileHash", attachment));
            }

            score = results.Sum(x => x.score);

            return(results);
        }
Пример #4
0
        public override List <CheckResult> Analyze(object data)
        {
            var mailItem = data as MailItem;
            var results  = new List <CheckResult>();

            var currentUser        = mailItem?.UserProperties.Session.CurrentUser.Address;
            var senderName         = mailItem.SenderName;
            var senderEmailAddress = mailItem.SenderEmailAddress;
            var senderCombo        = senderName + "/" + senderEmailAddress;

            // Get already known values
            var learn = new FinalFrontierLearnLib.Learn();

            Dictionary <string, int> DictSenderName  = learn.getDictSenderName();
            Dictionary <string, int> DictSenderEmail = learn.getDictSenderEmail();
            Dictionary <string, int> DictSenderCombo = learn.getDictSenderCombo();


            // TODO: Get thorug app config
            try
            {
                ownaddresses = ConfigurationManager.AppSettings["ownaddresses"].Split(',').ToList();
                ownaddresses.Add(currentUser);
            }
            catch (System.Exception)
            {
                System.Windows.Forms.MessageBox.Show("Could not read configuration file app.config / " + AppDomain.CurrentDomain.SetupInformation.ConfigurationFile + "\n\nCAUTION: FINALFRONTIER WILL NOT BE FUNCTIONING PROPERLY!!!");
            }

            var checkMethods = new CheckMethods();

            Action <CheckResult> add = x => { if (x != null)
                                              {
                                                  results.Add(x);
                                              }
            };
            Action <List <CheckResult> > addRange = x =>
            {
                if (x != null)
                {
                    x.RemoveAll(y => y == null);
                    results.AddRange(x);
                }
            };

            foreach (string entry in mailItem.Headers("Received"))
            {
                string receiveDomain = checkMethods.GetReceiveFromString(entry);
                add(checkMethods.CheckBadTld("Receive-badTLD", receiveDomain));
                addRange(checkMethods.CheckFreeMailers("Receive-Freemailer", entry, senderEmailAddress));
            }

            addRange(CheckSender(senderName, senderEmailAddress, checkMethods.GetSenderSMTPAddress(mailItem)));

            add(checkRecipients(currentUser, mailItem.To?.Split(',').ToList(), mailItem.CC?.Split(',').ToList()));

            // evaluate history of senderName, senderEmailAddress and their combo
            if (DictSenderName.ContainsKey(senderName))
            {
                add(new CheckResult("Metadata-NewName", "Der Name (Freitext) des Absenders ist bekannt", senderName, -40));
            }
            else
            {
                add(new CheckResult("Meta-NameNew", "Der Name (Freitext) des Absenders ist neu", senderName, -10));
            }

            if (DictSenderEmail.ContainsKey(senderEmailAddress))
            {
                if (DictSenderEmail[senderEmailAddress] > 0)
                {
                    add(new CheckResult("Meta-SenderAddressSeenBefore", "Die vermeintliche Emailadresse ist bekannt.", senderEmailAddress, -30));
                }
            }
            else
            {
                add(new CheckResult("Meta-SenderNew", "Vermeintliche Emailadresse ist neu.", senderEmailAddress, -20));
            }

            if (DictSenderCombo.ContainsKey(senderCombo))
            {
                if (DictSenderCombo[senderCombo] > 0)
                {
                    add(new CheckResult("Meta-ComboSeenBefore", "Die Kombination von Absender (Freitext) und Emailadresse ist bekannt.", senderEmailAddress, 100));
                }
            }
            else
            {
                add(new CheckResult("Meta-ComboNew", "Die Kombination von Absender (Freitext) und Emailadresse ist neu.", senderEmailAddress, -40));
            }

            //add(checkMethods.SenderWhitelist(senderEmailAddress, senderNameDomainPart));

            foreach (string entry in mailItem.Headers("From"))
            {
                if (entry.Contains("\"\""))
                {
                    add(new CheckResult("Meta-SuspiciousSender", "Die Angabe des Absenders enthält leere Hochkommata.", senderEmailAddress, -40));
                }
                if (entry.Contains("''"))
                {
                    add(new CheckResult("Meta-SuspiciousSender", "Die Angabe des Absenders enthält leere Hochkommata.", senderEmailAddress, -40));
                }
                if (entry.StartsWith("@"))
                {
                    add(new CheckResult("Meta-SuspiciousSender", "Die Mailadresse des Absenders ist fehlerhaft / verdächtig.", senderEmailAddress, -40));
                }
            }

            score = results.Sum(x => x.score);

            return(results);
        }