Code: Junk Email Downloader

So a while back someone on Twitter (sorry can’t remember who..) mentioned that when looking for sources of Malware to analyse you shouldn’t overlook your junk/spam emails. What a good idea I thought, lets write some code to do that for me.

I’ve quickly thrown together my “Junk Email Downloader” python script which can be found HERE.

The idea being that you have a mailbox that is just used for JUNK (I use Hotmail as I get a lot of junk via that account). The script will connect to any POP3 server download the emails (and delete them after, so you’ve been warned), once it has downloaded the emails it pulls out the Sender IP, and a list of any URL’s it finds (based on href tags). It does a bit of GeoIP analysis on both (so you need the MaxMinds database) and writes it out to a text file (will look at making more use of that later).

After that it makes an HTTP request to each URL checking to see if it gets a 200 response back (just to make sure the URL’s are still available). For each 200 response it then submits it to VirusTotal via their API for analysis (sorry about the multiple requests guys).

It’s still a work in progress but at over 100 lines of code its the biggest script I’ve ever written so hopefully you might find it useful. Once I’ve tweaked it a bit I’m going to run it on my Raspberry PI, the idea being that it will run once an hour or so.

In the future I will add some more VirusTotal API calls, such as IP/Domain lookup and build in Cuckoo Sandbox API calls so you can submit the URL’s to your own Sandbox for analysis.

Have fun and let me know what you think.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s