yigitcolakoglu
/
KulYutmaz
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Kulyutmaz is a project developed for the regional TUBITAK competition's programming field thart aims to create a more advanced phishing e-mail detection algorithm using website content checking and a neural network that we have trained.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
1.4 MiB
Branch: main
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'main'
${ noResults }
KulYutmaz/mail.py

523 lines
16 KiB
Raw Permalink Normal View History

Initial commit
4 years ago
 
  1. import mysql.connector
  2. import re
  3. import requests
  4. import urllib.parse
  5. from datetime import datetime
  6. import imaplib
  7. from email.parser import BytesParser
  8. from email.utils import getaddresses
  9. import AI
  10. import jsParser
  11. from pynotifier import Notification
  12. import platform
  13. from plyer import notification
  14. from urllib.parse import urlparse
  15. import pickle
  16. import numpy
  17. import yandex_search
  18. from bs4 import BeautifulSoup
  19. 

  20. MAILS_TO_CACHE = 5
  21. 

  22. SKIP = ["facebook.com","w3.org"]
  23. class Logger:
  24. 	def __init__(self, filename):
  25. 		self.file = open(filename, "a+")
  26. 

  27. 	def error(self, msg: str):
  28. 		self.file.write("[ERROR] " + self.generate_log(msg))
  29. 		self.file.flush()
  30. 

  31. 	def debug(self, msg):
  32. 		self.file.write("[DEBUG] " + self.generate_log(msg))
  33. 		self.file.flush()
  34. 

  35. 	def info(self, msg: str):
  36. 		self.file.write("[INFO] " + self.generate_log(msg))
  37. 		self.file.flush()
  38. 

  39. 	def generate_log(self, msg: str):
  40. 		now = datetime.now()
  41. 		timestamp = now.strftime("%b %d %Y %H:%M:%S")
  42. 		return timestamp + " : " + msg + "\n"
  43. 

  44. 	def stop(self):
  45. 		self.file.close()
  46. 

  47. 

  48. class MailBox:
  49. 

  50. 	def __init__(self, email: str, passwd: str, server: str, port: int, mysql_creds: dict, sensitivity: int,
  51. 				 threshold: int, logger: Logger):
  52. 		try:
  53. 			self.log = logger
  54. 			self.log.info("Started MailBox listener for " + email)
  55. 			self.FROM_EMAIL = email
  56. 			self.FROM_PWD = passwd
  57. 			self.SMTP_SERVER = server
  58. 			self.SMTP_PORT = port
  59. 			self.imap = imaplib.IMAP4_SSL(self.SMTP_SERVER, self.SMTP_PORT)
  60. 			self.imap.login(self.FROM_EMAIL, self.FROM_PWD)
  61. 			self.imap.select('INBOX')
  62. 			self.mysql_creds = mysql_creds
  63. 			self.threshold = threshold
  64. 			self.sensitivity = sensitivity
  65. 			self.get_ids()
  66. 			# The mails dictionary format it <mail_id>:(<Mail_Object>,<Modified time>)
  67. 			self.mails = {}
  68. 			self.mysql = mysql_creds
  69. 			self.spam_folder = self.detect_spam_folder()
  70. 			self.get_new_mails()
  71. 		except Exception as e:
  72. 			self.log.error(str(e))
  73. 

  74. 	def get_ids(self):
  75. 		try:
  76. 			self.imap.select("INBOX", False)
  77. 			typ, ids = self.imap.uid('search', None, 'ALL')
  78. 			self.ids = ids[0].decode().split()
  79. 			self.log.debug(str(self.ids))
  80. 		except Exception as e:
  81. 			self.log.error(str(e))
  82. 			self.imap = imaplib.IMAP4_SSL(self.SMTP_SERVER, self.SMTP_PORT)
  83. 			self.imap.login(self.ORG_EMAIL, self.FROM_PWD)
  84. 			self.imap.select('INBOX', False)
  85. 			self.get_ids()
  86. 

  87. 	def get_new_mails(self):
  88. 		mysql_db = mysql.connector.connect(
  89. 				user=self.mysql_creds["mysql_username"],
  90. 				password=self.mysql_creds["mysql_password"],
  91. 				database=self.mysql_creds["mysql_database"],
  92. 				host=self.mysql_creds["mysql_host"]
  93. 		)
  94. 		cursor = mysql_db.cursor()
  95. 		while len(self.mails) <= MAILS_TO_CACHE:
  96. 			id = self.ids[-1 - len(self.mails)]
  97. 			cursor.execute(
  98. 				"SELECT mail_id FROM logs WHERE mail_id = '{}' AND account = '{}'".format(id, self.FROM_EMAIL))
  99. 			cursor.fetchall()
  100. 			if cursor.rowcount > 0:
  101. 				self.mails[id] = "[BUFFERED MAIL]"
  102. 				continue
  103. 			typ, messageRaw = self.imap.uid('fetch', id, '(RFC822)')
  104. 			self.log.info("Found mail with id: " + str(id))
  105. 			email = messageRaw[0][1]
  106. 			self.mails[id] = Mail(email, self.mysql_creds, self.threshold, self.sensitivity, self.FROM_EMAIL, self.log,
  107. 								  id, self.spam_folder)
  108. 			self.mails[id].check_spam()
  109. 			self.log.info("Checked new mail with id: " + str(id))
  110. 

  111. 	def refresh_new_mails(self):
  112. 		self.log.info("Refreshing mails")
  113. 		old_ids = self.ids
  114. 		self.get_ids()
  115. 		#self.log.debug(str(self.ids))
  116. 		diff_ids = set(self.ids) - set(old_ids)
  117. 		for id in diff_ids:
  118. 			self.log.info("Found new mail with id: " + str(id))
  119. 			typ, messageRaw = self.imap.uid('fetch', id, '(RFC822)')
  120. 			self.log.info("Fetched the new mail")
  121. 			email = messageRaw[0][1]
  122. 			self.mails[id] = Mail(email, self.mysql_creds, self.threshold, self.sensitivity, self.FROM_EMAIL, self.log,
  123. 								  id, self.spam_folder)
  124. 			self.mails[id].check_spam()
  125. 

  126. 	def check_spam(self):
  127. 		for mail_name in self.mails:
  128. 			mail_obj = self.mails[mail_name]
  129. 			mail_obj.check_spam()
  130. 			self.log.info("Checked new mail with id: " + str(mail_name))
  131. 			if mail_obj.get_spam() == 1:
  132. 				self.log.info("Found spam mail sent by: " + mail_obj.header_data["From"].split("<")[1][:-1])
  133. 				result = self.imap.uid('COPY', mail_obj.mail_id, mail_obj.spam_folder)
  134. 				if result[0] == 'OK':
  135. 					mov, data = self.imap.uid('STORE', mail_obj.mail_id, '+FLAGS', '(\Deleted)')
  136. 					self.imap.expunge()
  137. 

  138. 	def detect_spam_folder(self):
  139. 		folder = ""
  140. 		for i in self.imap.list()[1]:
  141. 			l = i.decode().split(' "/" ')
  142. 			if "Junk" in l[0]:
  143. 				folder = l[1]
  144. 				break
  145. 			if "Trash" in l[0]:
  146. 				folder = l[1]
  147. 		if folder[0] == "\"":
  148. 			folder = folder[1:]
  149. 		if folder[-1] == "\"":
  150. 			folder = folder[:-1]
  151. 		return folder
  152. 

  153. 

  154. class Mail:
  155. 

  156. 	def __init__(self, mail_data, mysql_creds, threshold, sensitivity, account, logger, mail_id, spam_folder):
  157. 		self.JS_IMPORT_REGEX = r'/<script.*(?:src="(.*)").*>/s'
  158. 		self.JS_EXTRACT_REGEX = r'/<script.*>(.*?)<\/script>/s'
  159. 		self.URL_REGEX = "http[s]?://(?:[a-zA-Z]|[0-9]|[$-_@.&+]|[!*\(\),]|[^\x00-\x7F]|(?:%[0-9a-fA-F][0-9a-fA-F]))+"
  160. 		self.parser = BytesParser()
  161. 		self.sensitivity = sensitivity
  162. 		self.threshold = threshold
  163. 		self.log = logger
  164. 		self.spam_folder = spam_folder
  165. 		self.mysql_db = mysql.connector.connect(
  166. 				user=mysql_creds["mysql_username"],
  167. 				password=mysql_creds["mysql_password"],
  168. 				database=mysql_creds["mysql_database"],
  169. 				host=mysql_creds["mysql_host"]
  170. 		)
  171. 		self.account = account
  172. 		self.spam_points = 0
  173. 		self.js_code = {}
  174. 		self.urls_in_document = []
  175. 		self.documents = {}
  176. 		self.mail_id = mail_id
  177. 		# The headers are defined as <key>:<to_remove_from key>
  178. 		# -1 is used to define the last header, after that comes the mail contents
  179. 		self.whitelisted = False
  180. 		self.blacklisted = False
  181. 		self.parsed_mail = self.parser.parsebytes(mail_data)
  182. 		self.header_data = dict(self.parsed_mail)
  183. 		self.message = ""
  184. 		self.extract_message()
  185. 		self._spam = -1
  186. 		self.check_whitelist()
  187. 		self.check_blacklisted()
  188. 		self.urls = re.findall(self.URL_REGEX, self.message)
  189. 		for i in range(len(self.urls)):
  190. 			self.urls[i] = self.urls[i].strip()
  191. 

  192. 	def add_domain_to_blacklist(self,url):
  193. 		domain = urlparse(url).hostname
  194. 		cursor = self.mysql_db.cursor()
  195. 		cursor.execute("INSERT INTO new_blacklists(domain) VALUES('{}')".format(domain.encode("idna").decode("utf-8")))
  196. 		cursor.execute("INSERT INTO domain_blacklist(domain) VALUES('{}')".format(domain.encode("idna").decode("utf-8")))
  197. 

  198. 	def extract_message(self):
  199. 		if self.parsed_mail.is_multipart():
  200. 			for i in self.parsed_mail.get_payload():
  201. 				payload = i.get_payload(decode=True)
  202. 				try:
  203. 					self.message += payload.decode("utf-8")
  204. 				except AttributeError as e:
  205. 					self.log.error("AttributeError while trying to get message from mail with id " + str(self.mail_id))
  206. 					print(e)
  207. 				except UnicodeDecodeError as e:
  208. 					self.log.error(
  209. 						"UnicodeDecodeError while trying to get message from mail with id " + str(self.mail_id))
  210. 					print(e)
  211. 		else:
  212. 			payload = self.parsed_mail.get_payload(decode=True)
  213. 			try:
  214. 				self.message += payload.decode("utf-8")
  215. 			except AttributeError as e:
  216. 				self.log.error("AttributeError while trying to get message from mail with id " + str(self.mail_id))
  217. 				print(e)
  218. 			except UnicodeDecodeError as e:
  219. 				self.log.error("UnicodeDecodeError while trying to get message from mail with id " + str(self.mail_id))
  220. 				print(e)
  221. 

  222. 	def check_blacklisted(self, url=None):
  223. 		if url != None:
  224. 			url = url.encode("idna").decode("utf-8")
  225. 		cursor = self.mysql_db.cursor()
  226. 		if not url == None:
  227. 			cursor.execute("SELECT * FROM domain_blacklist WHERE domain LIKE '{}';".format(url))
  228. 			cursor.fetchall()
  229. 			if cursor.rowcount > 0:
  230. 				cursor.close()
  231. 				return True
  232. 			return False
  233. 		mail_header = self.header_data["From"].split("<")[1][:-1]
  234. 		mail = mail_header
  235. 		cursor.execute("SELECT * FROM mail_blacklist WHERE mail='{}';".format(mail))
  236. 		cursor.fetchall()
  237. 		if cursor.rowcount >= 1:
  238. 			print("Blacklisted")
  239. 			self.blacklisted = True
  240. 

  241. 	def check_whitelist(self, url=None):
  242. 		if url != None:
  243. 			url = url.encode("idna").decode("utf-8")
  244. 		cursor = self.mysql_db.cursor()
  245. 		if not url == None:
  246. 			cursor.execute("SELECT * FROM domain_whitelist WHERE domain LIKE '%{}%';".format(url))
  247. 			cursor.fetchall()
  248. 			if cursor.rowcount > 0:
  249. 				cursor.close()
  250. 				return True
  251. 			return False
  252. 		mail_header = self.header_data["From"].split("<")[1][:-1]
  253. 		mail = mail_header
  254. 		cursor.execute("SELECT * FROM mail_whitelist WHERE mail='{}';".format(mail))
  255. 		cursor.fetchall()
  256. 		if cursor.rowcount >= 1:
  257. 			self.whitelisted = True
  258. 

  259. 	def check_special_chars(self):
  260. 		for url in self.urls:
  261. 			parsed = urllib.parse.urlparse(url.encode("idna").decode("utf-8").encode("utf-8").decode("idna"))
  262. 			special_char_count = 0
  263. 			for char in parsed.netloc:
  264. 				if not char == ".":
  265. 					if not char.encode("utf-8") == char.encode("idna"):
  266. 						print("Special char detected")
  267. 						self._spam = 1
  268. 

  269. 	def aiPredict(self,data):
  270. 		with open("aiModel","rb") as m:
  271. 			aiModel = pickle.load(m)
  272. 			ai_in = (data["dir_num"], data["index_num"], data["length"], data["out_resources"], data["robots_entries"], data["special_char_num"], data["subdomain_len"], data["subdomain_num"], data["tld_trust"])
  273. 			return aiModel.predict(numpy.reshape(ai_in,(1, 9)))
  274. 

  275. 	def find_list_resources (self,tag, attribute,soup):
  276. 		list = []
  277. 		for x in soup.findAll(tag):
  278. 			try:
  279. 				list.append(x[attribute])
  280. 			except KeyError:
  281. 				pass
  282. 		return(list)
  283. 

  284. 	def get_url_data(self,url,yandex,timeout=30):
  285. 		data = {}
  286. 		data["length"] = (len(url.split("://")[1].split("?")[0]))
  287. 		data["dir_num"] = (url.find("/")-2)
  288. 		parsed = urlparse(url.encode("idna").decode("utf-8").encode("utf-8").decode("idna"))
  289. 		hostname_split = parsed.hostname.split(".")
  290. 		data["tld_trust"] = int(hostname_split[-1].lower() in ["com", "org", "net"])
  291. 		data["subdomain_num"] = len(hostname_split) - 2
  292. 		data["subdomain_len"] = len("".join(hostname_split[:-2]))
  293. 		special_char_count = 0
  294. 		for char in parsed.hostname:
  295. 			if char == ".":
  296. 				continue
  297. 			if not char.encode("utf-8") == char.encode("idna"):
  298. 				special_char_count += 1
  299. 		data["special_char_num"] = special_char_count
  300. 		#Advanced data extraction
  301. 		try:
  302. 			data["index_num"] = int(yandex.search("site:{}".format(parsed.hostname)).found["all"])
  303. 		except yandex_search.NoResultsException:
  304. 			data["index_num"] = 0
  305. 		robot_entry_counter = 0
  306. 		try:
  307. 			response = requests.get("{}://{}/robots.txt".format(parsed.scheme, parsed.netloc), allow_redirects=True, verify=False, timeout=timeout)
  308. 			if response.status_code == 200:
  309. 				lines = response.text.split("\n")
  310. 				lines = [x for x in lines if x != ""]
  311. 				robot_entry_counter += len([x for x in lines if x[0] != "#"])
  312. 			else:
  313. 				pass
  314. 		except Exception as e:
  315. 			print(e)
  316. 		data["robots_entries"] = robot_entry_counter
  317. 		try:
  318. 			req = requests.get(url, verify=False, timeout=timeout)
  319. 			if req.status_code == 200:
  320. 				soup = BeautifulSoup(req.text,'html.parser')
  321. 				image_scr = self.find_list_resources('img',"src",soup)
  322. 				script_src = self.find_list_resources('script',"src",soup)
  323. 				css_link = self.find_list_resources("link","href",soup)
  324. 				all_links = image_scr + css_link + script_src
  325. 				out_links = []
  326. 				for link in all_links:
  327. 					parsed_link = urlparse(link)
  328. 					if parsed_link.hostname != parsed.hostname:
  329. 						out_links.append(link)
  330. 				data["out_resources"] = len(out_links)
  331. 			else:
  332. 				data["out_resources"] = -1
  333. 		except Exception as e:
  334. 			print(e)
  335. 			data["out_resources"] = -1
  336. 		return data
  337. 

  338. 	def check_url(self, url):
  339. 		yandex = yandex_search.Yandex(api_user='raporcubaba@gmail.com', api_key='03.1042294429:b8e679f9acadef49ebab0d9726ccef58')
  340. 		data = self.get_url_data(url,yandex,timeout=10)
  341. 		if self.aiPredict(data):
  342. 			self.add_domain_to_blacklist(url)
  343. 			self.spam_points += self.sensitivity
  344. 

  345. 	def check_js(self):
  346. 		for url in self.js_code:
  347. 			for js in self.js_code[url]:
  348. 				if self.check_blacklisted(url=js):
  349. 					self._spam = 1
  350. 				if self.check_js_code(self.js_code[js]):
  351. 					self.add_domain_to_blacklist(url)
  352. 					self.spam_points += self.sensitivity
  353. 

  354. 	def check_disallowed_chars(self, url_start, chars=["<", ">", "'", "\""]):
  355. 		url = url_start
  356. 		for char in chars:
  357. 			if char in url:
  358. 				return True
  359. 			if urllib.parse.quote_plus(char) in url:
  360. 				return True
  361. 			if urllib.parse.quote_plus(urllib.parse.quote_plus(char)) in url:
  362. 				return True
  363. 		return False
  364. 

  365. 	def check_tld(self,url):
  366. 		if urlparse(url).hostname.split(".")[-1] in ["info","tk","gq"]:
  367. 			self._spam = 1
  368. 

  369. 	def check_domain_name(self,url):
  370. 		pass # TODO fill this up
  371. 

  372. 	def discover_url(self,urls):
  373. 		for url in urls:
  374. 			foo = False
  375. 			for i in self.documents:
  376. 				if urlparse(url).hostname == urlparse(i).hostname:
  377. 					foo = True
  378. 			if foo:
  379. 				continue
  380. 			while 1:
  381. 				if self.check_whitelist(url=url):
  382. 					break
  383. 				if self.check_blacklisted(url=url):
  384. 					self._spam = 1
  385. 					return
  386. 				self.log.info(url)
  387. 				self.check_disallowed_chars(url)
  388. 				self.keyword_search(url)
  389. 				self.check_xss(url)
  390. 				self.check_url(url)
  391. 				self.check_tld(url)
  392. 				self.check_domain_name(url)
  393. 				try:
  394. 					r = requests.get(url, allow_redirects=False)
  395. 				except requests.exceptions.ConnectionError:
  396. 					break
  397. 				#detect all status codes in the format 3xx
  398. 				try:
  399. 					self.documents[url] = r.content.decode()
  400. 					for i in self.extract_urls(self.documents[url]):
  401. 						foo = False
  402. 						for i in self.documents:
  403. 							if urlparse(url).hostname == urlparse(i).hostname:
  404. 								foo = True
  405. 						if foo:
  406. 							continue
  407. 						skip = False
  408. 						for j in SKIP:
  409. 							if j in i:
  410. 								skip = True
  411. 						if skip:
  412. 							continue
  413. 						foo = []
  414. 						foo.append(i.strip())
  415. 						self.discover_url(foo)
  416. 				except UnicodeDecodeError:
  417. 					pass
  418. 				if r.status_code == 302 or r.status_code == 303:
  419. 					location = r.headers["location"]
  420. 					if location.startswith("http"):
  421. 						url = location
  422. 					else:
  423. 						url = "/".join(url.split("/")[:-1]) + location
  424. 					continue
  425. 				else:
  426. 					break
  427. 

  428. 	def keyword_search(self, url):
  429. 		keywords = self.mysql_db.cursor()
  430. 		keywords.execute("SELECT * FROM keywordlist;")
  431. 		result = keywords.fetchall()
  432. 		for row in result:
  433. 			if row[0] in url:
  434. 				if  ".".join(urlparse(url).hostname.split(".")[-2:]) != row[1]:
  435. 					self._spam = 1
  436. 

  437. 	def check_xss(self, url):
  438. 		malicious = self.check_disallowed_chars(url)
  439. 		if malicious:
  440. 			print("ADDED SPAM POINTS")
  441. 			self.spam_points += self.sensitivity
  442. 

  443. 	#TODO add deobfuscation
  444. 	def extract_javascript(self): #TODO not working
  445. 		p = re.compile(self.JS_IMPORT_REGEX)
  446. 		for doc in self.documents:
  447. 			self.js_code[doc] = []
  448. 			for url in p.findall(self.documents[doc]):
  449. 				r = requests.get(url, allow_redirects=False)
  450. 				if r.status_code == 200:
  451. 					self.js_code[doc].append(r.content)
  452. 			p = re.compile(self.JS_EXTRACT_REGEX)
  453. 			for js in p.findall(doc):
  454. 				if js != "":
  455. 					self.js_code[doc].append(js)
  456. 

  457. 	def extract_urls(self, doc): # Extract URLs from the documents and save them to the array urls_in_document
  458. 		p = re.compile(self.URL_REGEX)
  459. 		res = p.findall(doc)
  460. 		return res
  461. 

  462. 	def check_stored_xss(self):
  463. 		self.extract_javascript()
  464. 		for url in self.js_code:
  465. 			url_spam_count = 0
  466. 			for js in self.js_code[url]:
  467. 				if url_spam_count > 6:
  468. 					self.add_domain_to_blacklist(url)
  469. 				if self.check_blacklisted(url=url):
  470. 					self._spam = 1
  471. 					return
  472. 				if self.check_js_code(js):
  473. 					url_spam_count += 3
  474. 					self.spam_points += self.sensitivity
  475. 

  476. 	def check_js_code(self, code):
  477. 		parsedJs = jsParser.parseJavascript(code, False)
  478. 		return AI.aiPredict(parsedJs)
  479. 

  480. 	def log_mail(self):
  481. 		cursor = self.mysql_db.cursor()
  482. 		domain = getaddresses(self.parsed_mail.get_all('from', []))[0][1]
  483. 		cursor.execute(
  484. 			"INSERT INTO logs (sender_domain,result, account, mail_id) VALUES ('{}','{}','{}','{}')".format(domain,
  485. 																											self.get_spam(),
  486. 																											self.account,
  487. 																											self.mail_id))
  488. 		self.mysql_db.commit()
  489. 		cursor.close()
  490. 

  491. 	def check_spam(self):
  492. 		if self.whitelisted:
  493. 			self._spam = 0
  494. 			self.log_mail()
  495. 			return
  496. 		elif self.blacklisted:
  497. 			self._spam = 1
  498. 		else:
  499. 			self.discover_url(self.urls)
  500. 

  501. 			self.check_stored_xss()
  502. 			if self.threshold < self.spam_points:
  503. 				self._spam = 1
  504. 		if self.get_spam() == 1:
  505. 			self.log.info("Mail moved to spam with id: " + str(self.mail_id))
  506. 			if platform.system() == "Windows":
  507. 				notification.notify(
  508. 						title='Found spam mail by: ' + getaddresses(self.parsed_mail.get_all('from', []))[0][1],
  509. 						message=self.account,
  510. 						app_icon=None,
  511. 						timeout=10, )
  512. 			else:
  513. 				Notification(
  514. 						title='Found spam mail by: ' + getaddresses(self.parsed_mail.get_all('from', []))[0][1],
  515. 						description=self.account,
  516. 						duration=10,
  517. 						urgency=Notification.URGENCY_CRITICAL
  518. 				).send()
  519. 		self.log_mail()
  520. 

  521. 	def get_spam(self) -> int:
  522. 		if self.whitelisted:
  523. 			return 0
  524. 		return self._spam