A DMARC deployment/monitoring tool written in python.
- Bootstrap
- Rickshaw JS
- w3data.js. Can be found at: http://www.w3schools.com/lib/w3data.js
- python 2.7 (not tested with python 3)
- dnspython
- pythone MySQLdb
- python netaddr
- For DMARC email test:
- pydkim 3
- pyspf 2.0.12
- python email
- ssl
- Techsneeze's dmarc parser. Can be found at: https://github.com/techsneeze/dmarcts-report-parser/blob/master/dmarcts-report-parser.pl
- For Visualizations:
- Matplotlib
- numpy
- python Tkinter
- pyasn
- urllib
- json
- MySQL database
Make sure you place the database user credentials in the following files:
- parse.py
- counters.py
- graph.py
- dns-record-tracker.py
- bubble-chart.py
- heatMap-in.py
- heatMap-out.py
For use of dns-record-tracker.py, insert the following table into the datbase named dmarc which is created by the dmarc parser from Techsneeze:
| Column name | Type |
|---|---|
| dmarc | varchar(255) |
| spf | varchar(255) |
| dkim | varchar(255) |
| dateStamp | timestamp |
This tool is meant to give the domain owner an overview of the possible sources that can deliver DMARC reports.
Phase 1 consist of two files:
parse.pyhtml-output.py
Use parse.py to generate a CSV file that is accepted by html-output.py.
parse.py should be supplied with file containing the mail log. An example:
python parse.py /var/log/mail.log
This will create a CSV file called output.csv which must be supplied to html-output.py:
python html-output.py output.CSV
After running html-output.py, a HTML file called dm-phase1.html is created that holds the result.
This tool is meant to monitor the domain during the deployment/operation of DMARC. It provides various tools which include: current DMARC status, DMARC tester, authentication results and a DNS history tool.
Phase 2 consist of the following files with their corresponding output:
domain-status.py->domainstatus.htmldmarc-EmailTest-client.pydmarc-EmailTest-server.py->dmarcCheck.htmlsendTestMail.pycounters.py->counterTrust.html,counterForeign.htmlgraph.py->graphTrust.js,graphForeign.jsdns-record-tracker.pyspf-ip-extract.pytrusted-list.txtdm-ph2.html
domain-status.py checks the presence of several important DMARC parameters and warns the user if any of these are not configured. Additionally the current DMARC record is displayed.
dmarc-EmailTest-client.py is the client application that should have access to a remote mailbox. It polls the mailbox for any new message. If a message is found, it sends the message including the headers to the server over a secure channel. dmarc-EmailTest-server.py implements the server. The server listens for a client connection. If the client sends a message, its evaluated on SPF and DKIM allignment. The results are written to dmarcCheck.html. For the secure connection, the user needs to create a certificate and a key. OpenSSL can do this:
openssl genrsa 2048 > key
openssl req -new -x509 -nodes -sha1 -days 365 -key key > cert
sendTestMail.py can automatically send an test mail to the reserved mailbox that
is used by dmarc-EmailTest-client.py
counters.py generates statistics about authentication results. The results are dived into
two sections: Trusted and Unknown sources. Each section contains an IP list that displays
the IP addresses that fall within this category and the number of messages that they have sent.
Additionally, a set of counters shows the aggregate authentication results. These include SPF, DKIM and DMARC results. This script relies on the trusted host which must be defined in trusted-list.txt. This can be done manually or automatically using spf-ip-extract.py.
graph.py generates the graphs which show DMARC authentication results over the last 30 days (by default). Like counters.py, this done for both trusted and unknown sources. Additionally it also generates the DNS history time line. This script relies on the trusted host which must be defined in trusted-list.txt. This can be done manually or automatically using spf-ip-extract.py.
spf-ip-extract.py can automatically extract IP addresses from a SPF record. Network addresses are also supported. All IP addresses are written to trusted-list.txt
dns-record-tracker.py tracks the SPF, DKIM and DMARC records of a domain. Any record change is saved
in the MySQL database. These records are used by graph.py to generate the DNS history time line.
It advised to run this script frequently when one is changing one of the 3 records (SPF, DKIM, DMARC) frequently (for example during the deployment).
The individual generated files for each widget are combined into one web interface in dm-ph2.html.
The visualizations consist of the following files:
- bubble-chart-ASN.py
- heatMap-in.py
- heatMap-out.py
- bubble-chart.py
bubble-chart-ASN.py generates a bubble chart to review where emails come from, in which quantities and the ratio of successful DMARC authentication results. The categorization is based on ASN numbers obtained using pyasn. This libary requires a BGP/MRT dump file as input. These dumps can be found at http://archive.routeviews.org/. The ASN <-> IP mapping for IPv4 and IPv6 is found in seppreate files which are not autmatically merged by pyasn. An mergeged file of this mapping can be found under asn-mapping.dat (version of 12-08-15). Additionally, a text file with the results of each AS is generated. This file is named asn-mapping.dat. This file also contains the ip addresses found in each AS togheter with authentication results. The user can optionally call this script with the --asn-lookup argument which will lookup the corrosponding (orginizational) name of the AS.
heatMap-in.py generates a heat map that displays the authentication results of different domains based on incoming reports. Each tile is awarded a color based on the ratio of successful authentication results against the total amount of emails. Each tile contains text fields that indicate the total number of emails, volume of emails that passed DMARC and volume of email that failed DMARC.
heatMap-out.py has the same functionality as heatMap-in.py but than for outgoing reports. Based on OpenDmarc's import functionality.
bubble-chart.py similar to bubble-chart-ASN.py but works on IP chunks rather than ASs.