techsneeze/dmarcts-report-parser

fixup Trustwave SEG reports

Mrten opened this issue · 2 comments

Mrten commented

Sometimes the parser thinks a message does not have a report:

----------------------------------------------------------------
Processing IMAP message with UID #17
----------------------------------------------------------------
Subject: Report Domain: afvalonline.nl Submitter: zeeland.nl Report-ID: <2018.3.21.3204>
MimeType: multipart/mixed
This is a multipart attachment
Skipped an unknown attachment
Skipped an unknown attachment
Could not find an embedded ZIP! The IMAP message with UID #17 does not seem to contain a valid DMARC report. Skipped.
Moving (copy and delete) processed IMAP message file to IMAP folder: Inbox.processed

This is because of a formatting error in the mail:

----=e6b1e617-42ae-4760-ac67-8328714cd151
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

This is a DMARC report generated by Trustwave SEG.

----=e6b1e617-42ae-4760-ac67-8328714cd151
ContentType: application/gzip;
	name="zeeland.nl!afvalonline.nl!1521020356!1521631697!3204.xml.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="zeeland.nl!afvalonline.nl!1521020356!1521631697!3204.xml.gz"

ContentType must be Content-Type...

I humby suggest the following patch:

root@mx-2:/home/dmarcreport# diff -u dmarcts-report-parser dmarcts-report-parser.new
--- dmarcts-report-parser	2018-05-30 23:40:54.348653837 +0200
+++ dmarcts-report-parser.new	2018-05-30 23:39:26.860653839 +0200
@@ -436,6 +436,11 @@
 # itself is not checked to be a valid DMARC report.
 sub getXMLFromMessage {
 	my $message = $_[0];
+
+        # fixup type in trustwave SEG mails
+        $message =~ s/ContentType:/Content-Type:/;

 	my $parser = new MIME::Parser;
 	$parser->output_dir("/tmp");
@@ -499,7 +504,7 @@
 			} else {
 				# Skip the attachment otherwise.
 				if ($debug) {
-					print "Skipped an unknown attachment \n";
+					print "Skipped an unknown attachment (".lc $part->mime_type.")\n";
 				}
 				next; # of parts
 			}

Thanks for the suggestion. I'm happy to take in Pull requests as well! I've added the suggestions though, and committed them.

Mrten commented

thanks!