This page uses CSS style sheets. See Web Standards

Copyright © 2017 infosecscripts.org. All Rights Reserved.

trackntrace - Symantec's MessageLabs Track and Trace automated

Scenario:

Your corporate emails are routed through Symantec's MessageLabs for email filtering (spam, malware, etc.). Your company got hit by a massive malspam campaign with randomized subjects, multiple sender addresses and sending IPs. You need to determine how many users received different variations of the malicious email to know whose machines are potentially infected.

Description:

The tool automates email lookups using Symantec Cloud's MessageLabs Track and Trace feature. The program talks to MessageLabs' portal the way any user would interact with the site using a normal browser. Once supplied with a valid pair of credentials and query parameters, it performs the search, periodically checks the status, and finally retrieves the search result.

The tool addresses some limitiations of Track and Trace tool and makes the following possible:

  • programmatically do a Track and Trace search even if Symantec does not provide an API access
  • specify multiple sender or recpient addresses and do a sequential search
  • specify multiple sending IPs - useful if you get a list of network IOCs from threat intel sharing
  • possibly retrieve all email logs of all your users without timing out (i.e., when too many results are returned)

Requirements:

  • Access to Symantec Cloud's MessageLabs

Help Menu:


>python trackntrace.py -h
usage: trackntrace.py [-h] [-S QUERY_SUBJECT [QUERY_SUBJECT ...]]
                      [-s SENDER [SENDER ...]] [-r RECIPIENT [RECIPIENT ...]]
                      [-l LAST_HOP [LAST_HOP ...]] [-d [DAYS]] [-H [HOURS]]
                      [-M [MIN_DATE]] [-X [MAX_DATE]] [-o [OUTPUT]]

A program that uses Track and Trace feature of SymantecCloud Messagelabs to
locate emails.

optional arguments:
  -h, --help            show this help message and exit
  -S QUERY_SUBJECT [QUERY_SUBJECT ...], --query-subject QUERY_SUBJECT [QUERY_SUBJECT ...]
                        Specifies the email subject(s) to search for. Input
                        file is accepted.
  -s SENDER [SENDER ...], --sender SENDER [SENDER ...]
                        Retrieve all emails sent by this sender(s). Input file
                        is accepted.
  -r RECIPIENT [RECIPIENT ...], --recipient RECIPIENT [RECIPIENT ...]
                        Search all emails sent to this address(es). Input file
                        is accepted.
  -l LAST_HOP [LAST_HOP ...], --last-hop LAST_HOP [LAST_HOP ...]
                        Look for all emails that were sent by this IP
                        address(es). Input file is accepted.
  -d [DAYS], --days [DAYS]
                        No. of days prior to search for.
  -H [HOURS], --hours [HOURS]
                        No. of hours prior to search for.
  -M [MIN_DATE], --min-date [MIN_DATE]
                        Find all emails sent starting from this date. Date
                        format: Y-m-d_I:Mp. Example: 2017-07-25_02:43am
  -X [MAX_DATE], --max-date [MAX_DATE]
                        Find all emails sent up to this date. Date format:
                        Y-m-d_I:Mp. Example: 2017-07-25_08:20am
  -o [OUTPUT], --output [OUTPUT]
                        Where to write output report. Defaults to
                        trackandtrace_result.csv.

EXAMPLE: Search MessageLabs for emails sent to some users with a certain
subject over the last 5 days: "> python trackntrace.py -d 5 -S "Your Invoice
is Ready" -r user1@yourdomain.com user2@yourdomain.com

Sample Output:


>python trackntrace.py -r mark.alvarez@xxxxxxxxx.com mark.alvarez123[at]gmail.com -d 3



Logging on to Symantec Cloud... Success!!!


Searching all emails from  28-Jul-17_12:15PM to 31-Jul-17_12:15PM...
Search Parameters:
  Subject:
  Sender:
  Recipient: mark.alvarez@xxxxxxxxx.com
  Sending IP:
..
Done.

Found 81 emails from 28-Jul-17_12:15PM to 31-Jul-17_12:15PM

Searching all emails from  28-Jul-17_12:15PM to 31-Jul-17_12:15PM...
Search Parameters:
  Subject:
  Sender:
  Recipient: mark.alvarez123[at]gmail.com
  Sending IP:
...
Done.

Found 2 emails from 28-Jul-17_12:15PM to 31-Jul-17_12:15PM

Output written to: ".\trackandtrace_result.csv"
Total Search Made: 2
Total Emails Found: 83

Source Code:

Get it from github.