MAIL FROM in smtp.bro

frenzy · September 26, 2006, 6:13pm

Hi folks,

I was wondering why the following code is commented out of smtp.bro? I
have a patch that looks for "MAIL FROM" and sets those as the
sender in the smtp logs. It adds a couple of functions to mimic the
structure of extract_recipient() etc. The functionality seems to work
well. All of the valid sender addresses seem to get captured, though I
have not done exhaustive testing for invalid addresses.

in policy/smtp.bro

508 # else if ( cmd == "MAIL" && code == 250 )
509 # smtp_command_mail(session, cmd_info);

However, if there is a reason why we shouldn't be doing this, I won't
submit the patch.

Thanks,

Randy

http://www.frenzy.org
"Sed Quis Custodiet Ipsos Custodes?" -Juvenal

Vern · September 29, 2006, 6:43am

I was wondering why the following code is commented out of smtp.bro?
...

in policy/smtp.bro

508 # else if ( cmd == "MAIL" && code == 250 )
509 # smtp_command_mail(session, cmd_info);

Huh, I don't know what's up with that. I've cc'd Ruoming (who I believe
wrote the original smtp.bro) in case he recalls.

Vern

Ruoming_Pang · September 29, 2006, 2:13pm

I don't remember either (Vern: I was about to ask you about it. :). I
think it should be fine to uncomment the code. Please let me know if
you have any problem after uncommenting it.

Thanks,
Ruoming

Topic		Replies	Views
re: Alternative from addresses in emails (diff output, and fixed) Zeek	1	46	May 6, 2022
Tracing email process Zeek	1	73	May 6, 2022
extract smtp objects Zeek	7	78	May 6, 2022
SMTP Analyzer Zeek	2	62	May 6, 2022
SMTP File Hash not consistent Zeek	1	76	May 6, 2022

MAIL FROM in smtp.bro

Related Topics