-
Notifications
You must be signed in to change notification settings - Fork 0
/
find_phishing_replies.pl
executable file
·59 lines (49 loc) · 1.67 KB
/
find_phishing_replies.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/perl -T
#
# find_phishing_replies.pl, DESCRIPTION
#
# Copyright (C) 2008 Jesse Thompson
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# $Id: find_phishing_replies.pl,v 1.2 2008/03/28 22:29:31 zjt Exp $
# Jesse Thompson <[email protected]>
use strict;
# the local path to the addresses file
# http://anti-phishing-email-reply.googlecode.com/svn/trunk/phishing_reply_addresses
my $addresses_file = 'phishing_reply_addresses';
# what to match in the log file prior to the address
my $pre_re = 'tcp_\w+\s+avs\w?\s+\w+\s\d+\s[^\s]+\srfc822;';
# what to match in the log file after the address matches
my $post_re = '\s';
# get the list of addresses
open my $addresses_fh, '<', $addresses_file
or die "unable to open $addresses_file $!";
my @addresses = ();
while ( <$addresses_fh> ) {
next if m/^#/;
my ($addr,$type,$date) = split /,/;
$addr =~ m/^([\.\w%+-]+@[\w\.-]+\.\w{2,4})/;
push @addresses, $1;
}
close $addresses_fh;
# build the regex
my $addr_regex = join( '|', @addresses );
my $re = qr/$pre_re($addr_regex)$post_re/i;
# scan the logs
while ( <> ) {
print if m/$re/;
}
print "\n\n----------------------\n";
print "scanned for addresses:\n";
for ( @addresses ) {
print "$_\n";
}