From 6c63a885795cdef7c75fc15609af7976296af431 Mon Sep 17 00:00:00 2001
From: Sascha Rommelfangen <sascha@rommelfangen.de>
Date: Mon, 29 May 2017 15:36:27 +0200
Subject: [PATCH] identify forwarded messages

---
 mail_to_misp_config.py-example | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mail_to_misp_config.py-example b/mail_to_misp_config.py-example
index 56814a0..d98f91f 100644
--- a/mail_to_misp_config.py-example
+++ b/mail_to_misp_config.py-example
@@ -31,5 +31,8 @@ malwaretags = { 'locky':    [ 'ecsirt:malicious-code="ransomware"', 'misp-galaxy
 dependingtags = { 'tlp:white': [ 'circl:osint-feed' ]
                 }
 
+# Known identifiers for forwarded messages 
+forward_identifiers = { b'-------- Forwarded Message --------', b'Begin forwarded message:' }
+
 # Tags to add when hashes are found (e.g. to do automatic expansion)
 hash_only_tags = { 'TODO:VT-ENRICHMENT' }