A script to submit email addresses seen in the message body of UCE to csirtg.io
- To demonstrate how to interact with csirtg using the csirtg SDK
- A csirtg account
- A csirtg account token; within csirtg:
- Select your username
- Select "tokens"
- Select "Generate Token
- A csirtg feed; within csirtg
- Select (the plus sign)
- Select Feed
- Choose a feed name (e.g. port scanners)
- Choose a feed description (hosts blocked in firewall logs)
- A Linux mail server with procmail installed
- procmail is only one way this script could be used
- Create a virtual environment for this project.
- Install py-cgmail and py-csirtgsdk within the virtual environment.
- Download the wf-email-addresses.py script
$ wget https://raw.githubusercontent.com/giovino/wf-email-addresses/master/wf-email-addresses.py
- Edit wf-email-addresses.py to fill in (WHITEFACE_USER, WHITEFACE_FEED, WHITEFACE_TOKEN)
- Leverage procmail to feed spam email through standard in. This is just an example, you will want to customize it appropriately.
# Process spam emails to have the email addresses in the message body submitted
# to csirtg
:0 c
* ^X-Spam-Level: \*\*\*\*\*
| /path/to/venv/bin/python2.7 /path/to/wf-email-addresses.py