/yaramail

A Python package and command line utility for scanning emails with YARA rules

Primary LanguagePythonApache License 2.0Apache-2.0

yaramail logo

yaramail

Python tests PyPI PyPI - Downloads

yaramail is a Python package and command line utility for scanning emails with YARA rules. It is ideal for automated triage of phishing reports.

CLI Demo

asciicast

Features

  • Scans all parts of an email via API or CLI
    • Headers
      • Removes header indents by default for consistent scanning
    • Plain text and HTML body content
      • Converts body content to Markdown by default for consistent scanning
    • Attachments
      • Raw file content
      • Emails attached to emails
      • PDF document text
      • ZIP file contents, including nested ZIP files
        • Uses message body content as a list of possible ZIP passwords
        • Customizable list of passwords to use when attempting to scan encrypted ZIP files
  • Provides a built-in methodology for categorizing emails
  • Parses Authentication-Results headers