I had a request from a customer to parse out some messages from a mail conversation.
Basically the email contains the following headers:
Received-SPF: pass (infra1.csuk.eu.rsa.net: 192.168.123.250 is whitelisted) receiver=infra1.csuk.eu.rsa.net; client-ip=192.168.123.250; helo=ECAT.waugh.local; envelope-from=david.waugh@waugh.local; x-software=spfmilter 2.001 http://www.acme.com/software/spfmilter/ with libspf2-1.2.10;
Received: from ECAT.waugh.local ([192.168.123.250])
by infra1.csuk.eu.rsa.net (8.13.8/8.13.8) with ESMTP id u3RCCOxW024832
for <david.waugh2@rsa.com>; Wed, 27 Apr 2016 12:12:24 GMT
x-metascan-quarantine-id: e3c4973b-d836-4f37-a47d-62271c21a5cc
Received: from UKXXWAUGHDL1C ([152.62.229.74]) by ECAT.waugh.local with ESMTP ; Wed, 27 Apr 2016 13:12:23 +0100
From: "10.5 Test" <david.waugh@infra1.esc.ai.pri>
To: <david.waugh2@rsa.com>
References:
In-Reply-To:
Subject: RE: This is a test through my mail system
Date: Wed, 27 Apr 2016 13:12:23 +0100
Message-ID: <0bd101d1a07e$0e479230$2ad6b690$@waugh.local>
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0BD2_01D1A086.700E4420"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdGget+xlnYyEWhiQrysrAxYJ7qXxgAApK1AAAAdpuAAAAfMIA==
Content-Language: en-gb
X-Virus-Scanned: clamav-milter devel-clamav-0.98-dmgxar-126-gfde6749 at infra1
X-Virus-Status: Clean
The header of interest here is the one called Received-SPF:
I created a parser based on Detecting Sinkholed Domains With The X-Factor Parser
On my Packet Decoder I created a parser called SPF.parser in /etc/netwitness/ng/parsers
containing the following:
<?xml version="1.0" encoding="utf-8"?>
<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd">
<parser name="SPF Factor" desc="This extracts the SPF string from a Header">
<declaration>
<token name="tXfactor" value="Received-SPF:" options="linestart" />
<number name="vPosition" scope="stream" />
<string name="vXfactor" scope="stream" />
<meta name="meta" key="xfactor" format="Text" />
</declaration>
<match name="tXfactor">
<find name="vPosition" value="
" length="512">
<read name="vXfactor" length="$vPosition">
<register name="meta" value="$vXfactor"/>
</read>
</find>
</match>
</parser>
</parsers>
Whenever the Received-SPF header was seen, then the rest of the header was put into the xfactor metakey.
If your SPF fields are from a different mail provider, then you could adjust the parser accordingly.
For example if your messages had the following header:
Authentication-Results: mx.messagelabs.com; spf=pass
Then the line in the parser could be changed from:
<token name="tXfactor" value="Received-SPF:" options="linestart" />
To
<token name="tXfactor" value="Authentication-Results: mx.messagelabs.com; spf=" options="linestart" />
If you wanted to put the result into a different metakey (for example result) then change
<meta name="meta" key="xfactor" format="Text" />
to
<meta name="meta" key="result" format="Text" />
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.