function Flow_SMTPDomainMismatch (dpiMsg, ruleEngine) require('LOG') -- get/verify application SMTP local app = GetLatestApplication(dpiMsg) if app == "smtp" then -- get/verify sender domain local sender_domain = GetString(dpiMsg, "smtp", "sender_domain") if sender_domain ~= nil and sender_domain ~= '' then sender_domain = string.lower(sender_domain) -- get/verify sender email local sender_email = GetString(dpiMsg, "smtp", "sender_email") if sender_email ~= nil and sender_email ~= '' then -- parse/verify/save the domain from sender email local sender_email_domain = string.sub(sender_email, string.find(sender_email, '@')+1, string.len(sender_email)) if (sender_email_domain ~= nil and sender_email_domain ~= '') then sender_email_domain = string.lower(sender_email_domain) SetCustomField(dpiMsg, "sender_email_domain", sender_email_domain) -- check if sender's real domain matches their claimed domain (exclude gmail) -- alarm on mismatch if not string.find(sender_domain, sender_email_domain, 1, true) and not string.find(sender_domain, 'gmail') and not string.find(sender_domain, 'google') then SetCustomField(dpiMsg, "sender_domain", sender_domain) SetCustomField(dpiMsg, "sender_domain_mismatch", 'true') TriggerUserAlarm(dpiMsg, ruleEngine, 'medium') EZINFO('domain mismatch, sender domain: ' .. sender_domain .. ', email domain: ' .. sender_email_domain .. ', UUID: ' .. GetUuid(dpiMsg)) end end end end end end |