Sender Ip is always NULL
bmarsh9 opened this issue · 2 comments
Question:
I have noticed that the Sender IP is always Null in the JSON output. The sender IP is in fact in the original email. Is there a way I can change this or is it expected behavior? I would like to add more lookups (other than Virustotal and shodan) but want to make Im looking in the right place.
Sometimes it is also in the "Return-Path" header.
Thank you
Hi @bm1391,
you did me two questions.
The first one is about ip address. Yes it's possible to get sender ip from email, you should know the trust string. SpamScope cat get the ip addresses, if you set for every mail boxes the trust string:
https://github.com/SpamScope/spamscope/blob/develop/conf/spamscope.example.yml#L31
Extract a reliable sender IP address heuristically for each message.
Although the message format dictates a chain of relaying IP
addresses in each message, a malicious relay can easily alter that.
Therefore we cannot simply take the first IP in
the chain. Instead, our method is as follows.
First we trust the sender IP reported by our mail server in the
Received headers, and if the previous relay IP address is on our trust
list (e.g. other well-known mail services), we continue to
follow the previous Received line, till we reach the first unrecognized
IP address in the email header.
From article Characterizing Botnets from Email Spam Records:
Li Zhuang, J. D. Tygar
For the second question see issue #15.
I understand now. Thanks. Sorry for all the questions and issues! Hopefully other people have the same.