I am getting fed up with the surprisingly professional looking SCAMS arriving in my Inbox.
I wanted to create an Automator action which would tell me who is the actual sender by looking up the IP it came from.
Normally if I get suspicious I would:
1-Show full header of the email (using All Headers)
2-Find and Look up the Originating IP address using who is
3- Decide based on actual IP location and owner what to do.
–This IP originates in Italy? So it is safe to say that AMEX would not use a server in Italy to send me such email.
I can use some help how to Automate the Steps 1 and 2 (and the 2.1) in mail.
Here are the samples;
The Email
The Header
The sample of the content of the html file
I found this Can I make Mail.app search Received: headers? which is along the way, but it does not answer the question.
PS:
I know I could just delete it and go on with life, but:
I would miss helping innocent people, informing them that their server was hacked and being used by Criminals, as I already did so successfully few times, helping to shut them down.
Once it was a Wells Fago web site on a server of a travel operator in Russia.
Another time it was a Visa website on a Restaurant server in Iceland. And now this one.
UPDATE..UPDATE…UPDATE…
I found this that comes close to what I want, but would need some tweaking. Unfortunately, it is way beyond my scripting ability so any help is appreciated:
modified May 27, 2003 by M. Kluskens
? parse out all Received headers (important if mail passes through several trusted email servers)
? parse out the IP address from Eudora Internet mail Server headers (EIMS)
? added trusted IP address list
*)
on perform_mail_action(info)
(* Prompt levels: 0=no dialog boxes, 1=show dialog boxes when Spam is found, 2=show all dialog boxes, 3 =debug/verbose *)
set ShowPrompts to 0
-- list of trusted IP addresses not to look up
set TrustedIPlist to {"127.0.0.1", "203.97.196.98", "219.88.68.80"}
set BlackListsToCheck to {"bl.spamcop.net", "relays.osirusoft.com", "relays.ordb.org", "blackholes.wirehub.net", "list.dsbl.org", "dynablock.wirehub.net", "dialups.visi.com"}
(* Perform a nslookup against various RBL blacklists as DNS queries by executing the following: *)
(* nslookup IP4.IP3.IP2.IP1.[blacklist], a result of 127.0.0.2 is ususlly indicative of a positive match *)
(* Some Blacklists: bl.spamcop.net, relays.ordb.org, orbs.dorkslayers.com, dev.null.dk, relays.visi.com
relays.osirusoft.com (a.k.a. SPEWS uses 127.0.0.4 as a positive match) *)
tell application "Mail"
(* Process messages in the IN Box *)
set NewMail to |SelectedMessages| of info
repeat with CurrentMessage in NewMail
set RawSource to source of CurrentMessage
-- separate out different headers to check more than just the first [] pair
set HeaderName to "Start" as string
set ResolvedIP to "Cleared" as string
set loopCount to 1
-- checking complete when Subject, Date, From, or To header encountered
repeat until (HeaderName = "Subject:" or HeaderName = "Date:" or HeaderName = "From:" or HeaderName = "To:")
set Header to paragraph loopCount of RawSource
set Headerstart to the (offset of ":" in Header)
if (Headerstart > 0) then
set HeaderName to (characters 1 thru Headerstart of Header) as string
-- append the rest of the header text to the header (plus any uninteresting headers)
repeat
set Header2 to paragraph (loopCount + 1) of RawSource
set HeaderStart2 to the (offset of ":" in Header2)
if (HeaderStart2 ? 0) then
set HeaderName2 to (characters 1 thru HeaderStart2 of Header2) as string
if (HeaderName2 = "Received:" or HeaderName2 = "Subject:" or HeaderName2 = "Date:" or HeaderName2 = "From:" or HeaderName2 = "To:") then exit repeat
end if
set loopCount to loopCount + 1
set Header to (Header & Header2)
end repeat
if (HeaderName = "Received:") then
(* Locate the Originating IP Address in the raw E-Mail header *)
-- Sendmail and others
set start to the (offset of "[" in Header) + 1
set finish to the (offset of "]" in Header) - 1
-- Eudora Internet Mail Server
if (start = 1 or finish = -1) then
set start to the (offset of "(" in Header) + 1
set finish to the (offset of ")" in Header) - 1
end if
if (start < finish) then
set IPAddress to (characters start thru finish of Header) as string
if (ShowPrompts > 2) then
display dialog " Relay's IP " & IPAddress
end if
if (IPAddress is not in TrustedIPlist) then
(* Parse the IPAddress text into its IP1.IP2.IP3.IP4 fields, starting from the end IP4 to IP1 *)
copy text (((length of IPAddress) + 2) - ((offset of "." in (reverse of characters of IPAddress) as string))) thru (length of IPAddress) of IPAddress to IP4
copy text 1 thru ((length of IPAddress) - ((offset of "." in (reverse of characters of IPAddress) as string))) of IPAddress to IPAddress
copy text (((length of IPAddress) + 1) - ((offset of "." in (reverse of characters of IPAddress) as string))) thru (length of IPAddress) of IPAddress to IP3
copy text 1 thru ((length of IPAddress) - ((offset of "." in (reverse of characters of IPAddress) as string))) of IPAddress to IPAddress
copy text (((length of IPAddress) + 1) - ((offset of "." in (reverse of characters of IPAddress) as string))) thru (length of IPAddress) of IPAddress to IP2
copy text 1 thru ((length of IPAddress) - ((offset of "." in (reverse of characters of IPAddress) as string))) of IPAddress to IP1
repeat with BlackList in BlackListsToCheck
set LookUpResult to do shell script ("nslookup " & IP4 & IP3 & IP2 & "." & IP1 & "." & BlackList)
(* Parse the tail end of the last line looking for a match *)
set resultoffset to (((length of LookUpResult) + 1) - (offset of ":" in (((reverse of characters of LookUpResult)) as string)))
copy text (resultoffset + 3) thru (resultoffset + 10) of LookUpResult to ResolvedIP
if ResolvedIP = "127.0.0." then
set ResolvedIP to "SPAM!!!" as string
else
set ResolvedIP to "Cleared" as string
end if
if (ResolvedIP = "SPAM!!!") then exit repeat
end repeat
end if -- ( IPAddress is not is TrustedIPlist)
end if -- ( start < finish )
end if -- ( Headername = "Received:" )
end if -- ( Headerstart > 0 )
set loopCount to loopCount + 1
if (ResolvedIP = "SPAM!!!") then exit repeat
end repeat -- until
(* If it was listed in the RBL Move message to Junk folder and mark as Junk mail *)
if (ResolvedIP = "SPAM!!!") then
if (ShowPrompts > 0) then
display dialog "Found SPAM listed on " & BlackList & "
Move Message to Junk Mail" & "
From: " & (sender of CurrentMessage) & "
Subject: " & (subject of CurrentMessage)
end if
set is junk mail of CurrentMessage to true
-- change this line to match your junk/spam mailbox
set mailbox of CurrentMessage to mailbox "Junk"
else
if (ShowPrompts > 1) then
display dialog ResolvedIP & " Sender's IP " & IP1 & IP2 & IP3 & "." & IP4 & "
From: " & (sender of CurrentMessage) & "
Subject: " & (subject of CurrentMessage)
end if
end if
end repeat
end tell
end perform_mail_action
[/code]
Best Answer
It does not appear that Automator by itself has enough vocabulary to perform this task, but with a little Applescript you can get there.
If you've upgraded to Mavericks you can use a library to add ICU regular expressions to your script, but awk, sed, and Perl give you plenty of parsing power without them.
I run Applescript on my system using FastScripts or Keyboard Maestro but an Automator service should work as well.
Note that this script is not a complete answer to your problem but provides most of the tools you need solve it.
-ccs