Files
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

2.7 KiB

API Reference: Email Header Analysis Tools

Python email Module

Parsing EML Files

import email
from email import policy

with open("phishing.eml", "r") as f:
    msg = email.message_from_file(f, policy=policy.default)

msg["From"]           # From header
msg["To"]             # To header
msg["Subject"]        # Subject line
msg["Message-ID"]     # Unique message identifier
msg["Reply-To"]       # Reply-To address
msg["Return-Path"]    # Envelope sender
msg.get_all("Received")  # All Received headers (list)
msg.get_all("Authentication-Results")  # Auth results

Body and Attachment Extraction

body = msg.get_body(preferencelist=("html", "plain"))
content = body.get_content()

for part in msg.walk():
    if part.get_content_disposition() == "attachment":
        filename = part.get_filename()
        data = part.get_payload(decode=True)

dig - DNS Record Lookup

SPF Record

dig TXT example.com +short
# Output: "v=spf1 include:_spf.google.com ~all"

DKIM Record

dig TXT selector1._domainkey.example.com +short

DMARC Record

dig TXT _dmarc.example.com +short
# Output: "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

pyspf - SPF Validation (Python)

Syntax

import spf
result, explanation = spf.check2(
    i="203.0.113.45",            # Sending IP
    s="sender@example.com",       # Envelope sender
    h="mail.example.com"          # HELO hostname
)
# Results: pass, fail, softfail, neutral, none, temperror, permerror

dkimpy - DKIM Verification (Python)

Syntax

import dkim
with open("email.eml", "rb") as f:
    message = f.read()
result = dkim.verify(message)
# Returns True/False

AbuseIPDB - IP Reputation

API Endpoint

curl -G "https://api.abuseipdb.com/api/v2/check" \
  -H "Key: YOUR_API_KEY" \
  -H "Accept: application/json" \
  -d "ipAddress=203.0.113.45" -d "maxAgeInDays=90"

Response Fields

Field Description
abuseConfidenceScore 0-100 confidence of abuse
totalReports Number of abuse reports
countryCode Source country
isp Internet service provider

VirusTotal - Domain/URL Reputation

Domain Lookup

curl -H "x-apikey: YOUR_KEY" \
  "https://www.virustotal.com/api/v3/domains/suspicious.com"

URL Scan

curl -X POST "https://www.virustotal.com/api/v3/urls" \
  -H "x-apikey: YOUR_KEY" \
  -d "url=http://suspicious-url.com/login"

whois - Domain Registration

Syntax

whois suspicious-domain.com

Key Fields

  • Registrar - Domain registrar
  • Creation Date - When domain was registered
  • Registrant - Domain owner info
  • Name Server - Authoritative DNS servers