Not too long ago, I had a customer have some trouble with malicious email being sent to corporate users. The emails came from outside the network, but appeared to be coordinated by an accomplice on the inside. We wanted to see if we could discover who that accomplice was. So I wrote a quick little script using Python and SCAPY to monitor who is emailing who.
#!/usr/bin/python
import sys, signal, os, time
try:
from scapy import *
except:
print “scapy must be installed”
sys.exit()
def net_handler(p):
efrom = eto = esubj = ” ”
t = str(time.strftime(‘%X %x’))
src = str(p[IP].src)
dst = str(p[IP].dst)
p = p.getlayer(“TCP”)
msg = str(p.payload).split(‘\n’)
#print “–email detected–”
for line in msg:
line = line.upper()
if line.find(“FROM: ” ) == 0:
efrom = line[5:]
efrom = efrom.strip()
if line.find(“TO: ” ) == 0:
eto = line[3:]
eto = eto.strip()
if line.find(“SUBJECT: “) == 0:
esubj = line[8:]
esubj = esubj.strip()
if efrom != ” ” and eto != ” “:
print ‘%s, %s, %s, %s, %s, %s’ % (t, src, dst, efrom, eto, esubj)
def main():
sniff(count=0, store=0, iface=”eth0″, filter= “tcp port 25 or tcp port 110″, prn=net_handler)
print “finis”
main()