https://github.com/b0lg0r0v/elyzer

Elyzer is an email header analyzer, written in python, capable of detecting potential spoofing attempts.
https://github.com/b0lg0r0v/elyzer

e-mail email-analyzer email-header-analysis email-header-forensics spf-record-check spoofing-detection spoofing-emails

Last synced: 2 months ago
JSON representation

Elyzer is an email header analyzer, written in python, capable of detecting potential spoofing attempts.

• Host: GitHub
• URL: https://github.com/b0lg0r0v/elyzer
• Owner: B0lg0r0v
• License: mit
• Created: 2023-12-01T16:25:30.000Z (over 1 year ago)
• Default Branch: main
• Last Pushed: 2024-12-18T10:19:24.000Z (6 months ago)
• Last Synced: 2025-03-28T00:43:01.949Z (3 months ago)
• Topics: e-mail, email-analyzer, email-header-analysis, email-header-forensics, spf-record-check, spoofing-detection, spoofing-emails
• Language: Python
• Homepage:
• Size: 24.4 MB
• Stars: 38
• Watchers: 1
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# Elyzer



 



# Table of Contents

- [Elyzer](#elyzer)

  * [Description](#description)

  * [General Informations](#general-informations)

  * [Installation](#installation)

  * [Usage](#usage)

  * [Features](#features)

  * [To-Do](#to-do)

  * [Community Projects](#community-projects)

  * [Notes](#notes)

  * [Disclaimer](#disclaimer)

## Description

Elyzer is an e-mail header analyzer capable of detecting potential spoofing attempts. It will give you general information about the e-mail, the route it took, important security headers and the phishing / spoofing results.

:warning: *This project is under active development, and changes will be made frequently. As it's still in the early stages, bugs may be present.*.


## General Informations

- Before using this tool, make sure the e-mail header is formated correctly. This tool will parse the header according to RFC 822.

- This tool can ONLY utilize the spoofing / phishing function if the header contains the sender's SMTP Server IPv4 address. IPv6 addresses are currently not supported.

- Microsoft e-mail services are using IPv6 addresses, which on top of that are proxys. Finding the source address is very difficult if not simply impossible.

- PLEASE DO NOT RELY ONLY ON THIS TOOL. Elyzer cannot garantuee you 100% accuracy.

## Installation

**For Unix users:**

```

git clone https://github.com/B0lg0r0v/Elyzer.git

cd Elyzer

python -m pip install -r requirements.txt

```

To use the `-pa` argument, you need one API key from Driftnet:

- Driftnet API Key (https://driftnet.io)

Create an environment variable called `DRIFTNET_API` and insert your key as a value.

```

# On Unix systems

export DRIFTNET_API=

# On Windows

set DRIFTNET_API=

```

## Usage

Using Elyzer is quite intuitive. Give with the *-f* argument the header file.

**Unix:**

```

python3 elyzer.py -f 

```

Full Elyzer options:

```

options:

  -h, --help            show this help message and exit

  -f FILE, --file FILE  Give the E-Mail Header as a file.

  -pa, --passive        Enables the passive mode. DNS resolution is performed passively through Driftnet

                        for better OPSEC. You need to add "DRIFTNET_API" as an environment variable to 

                        use this feature.

  -nd, --no-dns         Enables the no-dns mode. No DNS resolution is performed for best OPSEC. This heavily affects

                        the results !

  -q, --quiet           Quiet mode. Disables banner.

  -j, --json            EXPERIMENTAL FEATURE. Output the results in JSON format.

  -v, --version         show program's version number and exit

  -a ATTACHEMENT, --attachement ATTACHEMENT

                        Check if the file is malicious.

```

Elyzer performs various DNS lookups to compare values for the spoofing function. This could raise OPSEC concerns, especially when dealing with a targeted attack.

If you have OPSEC concerns, you can now use the `-pa` argument to perform DNS lookups passively. This way, you’re no longer *directly* interacting with potential malicious domains, but *indirectly*, making it harder for an adversary to track. However, this CAN impact the results.

```

python3 elyzer.py -f  -pa

```

If you want the best OPSEC, you can use the `-nd` argument, which enables 'No DNS / Paranoid' mode. This will disable all DNS lookups, allowing you to use Elyzer entirely offline. However, be aware that this will significantly impact the results !

```

python3 elyzer.py -f  -nd

```

Additionally you can give a file with the `-a` argument to Elyzer. It will then generate you a VirusTotal Link where you can see if the file is potentially malicious or not.

```

python3 elyzer.py -f  -a 

```

## Features

Here's a quick overview of Elyzer's features:

 - Print general e-mail informations

 - Print relay routing with timestamps

 - Print security headers and check if set correctly

 - Print interesting headers such as "Envelope-From"

 - Print MS-Exchange Headers

 - Spoofing / Phishing analyzer with optional passive DNS lookup

*Spoofing / Phishing detection feature:*



 

## To-Do

- [ ] Add JSON output functionality.

- [x] Add a functionality to be able to passively query DNS information to reduce OPSEC concerns.

- [x] Switching entirely to the Driftnet API

- [ ] Optimize my garbage code :D

## Community Projects

Check out this awesome project by [@adriy-be](https://github.com/adriy-be): a WebUI for Elyzer!
Github repo: https://github.com/adriy-be/ElyzerWebUi

## Notes

Credits for the *getReceivedFields* & the *getFields* functions goes to "spcnvdr" , Copyright 2020. 


Also, thanks to [@triggerfx](https://github.com/triggerfx) for the custom Logo !

## Disclaimer

This tool is primarly created for me as a project to enhance my coding skills and start creating some red team / blue team tools. It is not considered to be the most efficient tool out there.