MISP
/
misp-warninglists
mirror of https://github.com/MISP/misp-warninglists
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-warninglists/tools/generate-smtp.py

101 lines
4.1 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
import multiprocessing.dummy
from generator import get_version, write_to_file, Dns, consolidate_networks, create_resolver
# Source: https://github.com/mailcheck/mailcheck/wiki/List-of-Popular-Domains
domains = [
# Default domains included
"aol.com", "att.net", "comcast.net", "facebook.com", "gmail.com", "gmx.com", "googlemail.com",
"google.com", "hotmail.com", "hotmail.co.uk", "mac.com", "me.com", "mail.com", "msn.com",
"live.com", "sbcglobal.net", "verizon.net", "yahoo.com", "yahoo.co.uk",
# Other global domains
"email.com", "fastmail.fm", "games.com", "gmx.net", "hush.com", "hushmail.com", "icloud.com",
"iname.com", "inbox.com", "lavabit.com",
"love.com", "outlook.com", "pobox.com", "protonmail.ch", "protonmail.com", "tutanota.de", "tutanota.com",
"tutamail.com", "tuta.io",
"keemail.me", "rocketmail.com", "safe-mail.net", "wow.com", "ygm.com",
"ymail.com", "zoho.com", "yandex.com",
# United States ISP domains
"bellsouth.net", "charter.net", "cox.net", "earthlink.net", "juno.com",
# British ISP domains
"btinternet.com", "virginmedia.com", "blueyonder.co.uk", "live.co.uk",
"ntlworld.com", "orange.net", "sky.com", "talktalk.co.uk", "tiscali.co.uk",
"virgin.net", "bt.com",
# Domains used in Asia
"sina.com", "sina.cn", "qq.com", "naver.com", "hanmail.net", "daum.net", "nate.com", "yahoo.co.jp", "yahoo.co.kr",
"yahoo.co.id", "yahoo.co.in", "yahoo.com.sg", "yahoo.com.ph", "163.com", "yeah.net", "126.com", "21cn.com",
"aliyun.com", "foxmail.com",
# French ISP domains
"hotmail.fr", "live.fr", "laposte.net", "yahoo.fr", "wanadoo.fr", "orange.fr", "gmx.fr", "sfr.fr", "neuf.fr",
"free.fr",
# German ISP domains
"gmx.de", "hotmail.de", "live.de", "online.de", "t-online.de", "web.de", "yahoo.de",
# Italian ISP domains
"libero.it", "virgilio.it", "hotmail.it", "aol.it", "tiscali.it",
"alice.it", "live.it", "yahoo.it", "email.it", "tin.it", "poste.it", "teletu.it",
# Russian ISP domains
"bk.ru", "inbox.ru", "list.ru", "mail.ru", "rambler.ru", "yandex.by", "yandex.com", "yandex.kz", "yandex.ru",
"yandex.ua", "ya.ru",
# Belgian ISP domains
"hotmail.be", "live.be", "skynet.be", "voo.be", "tvcablenet.be", "telenet.be",
# Argentinian ISP domains
"hotmail.com.ar", "live.com.ar", "yahoo.com.ar", "fibertel.com.ar", "speedy.com.ar", "arnet.com.ar",
# Domains used in Mexico
"yahoo.com.mx", "live.com.mx", "hotmail.es", "hotmail.com.mx", "prodigy.net.mx",
# Domains used in Canada
"yahoo.ca", "hotmail.ca", "bell.net", "shaw.ca", "sympatico.ca", "rogers.com",
# Domains used in Brazil
"yahoo.com.br", "hotmail.com.br", "outlook.com.br", "uol.com.br", "bol.com.br", "terra.com.br", "ig.com.br",
"r7.com", "zipmail.com.br", "globo.com", "globomail.com", "oi.com.br",
# Custom extension
# Domains used in Czechia
"seznam.cz", "atlas.cz", "centrum.cz",
]
if __name__ == '__main__':
dns = Dns(create_resolver())
spf_ranges = []
p = multiprocessing.dummy.Pool(40)
for domain_ranges in p.map(lambda d: dns.get_ip_ranges_from_spf(d), domains):
spf_ranges.extend(domain_ranges)
warninglist = {
'name': "List of known SMTP sending IP ranges",
'version': get_version(),
'description': "List of IP ranges for known SMTP servers.",
'matching_attributes': ["ip-src", "ip-dst", "domain|ip", "ip-src|port", "ip-dst|port"],
'type': 'cidr',
'list': consolidate_networks(spf_ranges),
}
write_to_file(warninglist, "smtp-sending-ips")
mx_ips = []
for domain_ranges in p.map(lambda d: dns.get_mx_ips_for_domain(d), domains):
mx_ips.extend(domain_ranges)
warninglist = {
'name': "List of known SMTP receiving IP addresses",
'version': get_version(),
'description': "List of IP addresses for known SMTP servers.",
'matching_attributes': ["ip-src", "ip-dst", "domain|ip", "ip-src|port", "ip-dst|port"],
'type': 'cidr',
'list': map(str, mx_ips),
}
write_to_file(warninglist, "smtp-receiving-ips")
Reference in New Issue View Git Blame Copy Permalink