cisagov/trustymail cisagov/trustymail

  • Stars
    star
    185
  • Rank 208,271 (Top 5 %)
  • Language
    Python
  • License
    Creative Commons ...
  • Created over 7 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
cisagov/trustymail
github

cisagov

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Scan domains and return data based on trustworthy email best practices

Trustworthy Mail

Latest Version GitHub Build Status CodeQL Coverage Status Known Vulnerabilities

trustymail is a tool that evaluates SPF/DMARC records set in a domain's DNS. It also checks the mail servers listed in a domain's MX records for STARTTLS support. It saves its results to CSV or JSON.

Getting started

trustymail requires Python 3.6+. Python 2 is not supported.

Local installation

trustymail can be installed directly via pip:

pip install trustymail

It can then be run directly:

trustymail [options] example.com

or

python3 -m trustymail [options] example.com

Using Docker (optional)

./run [opts]

opts are the same arguments that would get passed to trustymail.

Usage and examples

trustymail [options] INPUT

trustymail dhs.gov
trustymail --output=homeland.csv --debug cisa.gov dhs.gov us-cert.gov usss.gov
trustymail agencies.csv

Note: if INPUT ends with .csv, domains will be read from CSV. CSV output will always be written to disk, defaulting to results.csv.

Options

  -h --help                   Show this message.
  -o --output=OUTFILE         Name of output file.  (Default results)
  -t --timeout=TIMEOUT        The DNS lookup timeout in seconds.  (Default is 5.)
  --smtp-timeout=TIMEOUT      The SMTP connection timeout in seconds.  (Default is 5.)
  --smtp-localhost=HOSTNAME   The hostname to use when connecting to SMTP
                              servers.  (Default is the FQDN of the host from
                              which trustymail is being run.)
  --smtp-ports=PORTS          A comma-delimited list of ports at which to look
                              for SMTP servers.  (Default is '25,465,587'.)
  --no-smtp-cache             Do not cache SMTP results during the run.  This
                              may results in slower scans due to testing the
                              same mail servers multiple times.
  --mx                        Only check MX records.
  --starttls                  Only check MX records and STARTTLS support.
                              (Implies --mx.)
  --spf                       Only check SPF records.
  --dmarc                     Only check DMARC records.
  --json                      Output is in JSON format.  (Default is CSV.)
  --debug                     Output should include more verbose logging.
  --dns=HOSTNAMES             A comma-delimited list of DNS servers to query
                              against.  For example, if you want to use
                              Google's DNS then you would use the
                              value --dns-hostnames='8.8.8.8,8.8.4.4'.  By
                              default the DNS configuration of the host OS
                              (/etc/resolv.conf) is used.  Note that
                              the host's DNS configuration is not used at all
                              if this option is used.
  --psl-filename=FILENAME     The name of the file where the public suffix list
                              (PSL) cache will be saved.  If set to the name of
                              an existing file then that file will be used as
                              the PSL.  If not present then the PSL cache will
                              be saved to a file in the current directory called
                              public_suffix_list.dat.
  --psl-read-only             If present, then the public suffix list (PSL)
                              cache will be read but never overwritten.  This
                              is useful when running in AWS Lambda, for
                              instance, where the local filesystem is read-only.

What's checked?

For a given domain, MX records, SPF records (TXT), DMARC (TXT, at _dmarc.<domain>), and support for STARTTLS are checked. Resource records can also be checked for DNSSEC if the resolver used is DNSSEC-aware.

The following values are returned in results.csv:

Domain and redirect info

  • Domain - The domain you're scanning!
  • Base Domain - The base domain of Domain. For example, for a Domain of sub.example.gov, the Base Domain will be example.gov. Usually this is the second-level domain, but trustymail will download and factor in the Public Suffix List when calculating the base domain.
  • Live - The domain is actually published in the DNS.

Mail sending

  • MX Record - If an MX record was found that contains at least a single mail server.
  • MX Record DNSSEC - A boolean value indicating whether or not the DNS record is protected by DNSSEC.
  • Mail Servers - The list of hosts found in the MX record.
  • Mail Server Ports Tested - A list of the ports tested for SMTP and STARTTLS support.
  • Domain Supports SMTP - True if and only if any mail servers specified in a MX record associated with the domain supports SMTP.
  • Domain Supports SMTP Results - A list of the mail server and port combinations that support SMTP.
  • Domain Supports STARTTLS - True if and only if all mail servers that support SMTP also support STARTTLS.
  • Domain Supports STARTTLS Results - A list of the mail server and port combinations that support STARTTLS.

Sender Policy Framework (SPF)

  • SPF Record - Whether or not a SPF record was found.
  • SPF Record DNSSEC - A boolean value indicating whether or not the DNS record is protected by DNSSEC.
  • Valid SPF - Whether the SPF record found is syntactically correct, per RFC 4408.
  • SPF Results - The textual representation of any SPF record found for the domain.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

  • DMARC Record - True/False whether or not a DMARC record was found.
  • DMARC Record DNSSEC - A boolean value indicating whether or not the DNS record is protected by DNSSEC.
  • Valid DMARC - Whether the DMARC record found is syntactically correct.
  • DMARC Results - The DMARC record that was discovered when querying DNS.
  • DMARC Record on Base Domain, DMARC Record on Base Domain DNSSEC, Valid DMARC Record on Base Domain, DMARC Results on Base Domain - Same definition as above, but returns the result for the Base Domain. This is important in DMARC because if there isn't a DMARC record at the domain, the base domain (or "Organizational Domain", per RFC 7489), is checked and applied.
  • DMARC Policy - An adjudication, based on any policies found in DMARC Results and DMARC Results on Base Domain, of the relevant DMARC policy that applies.
  • DMARC Subdomain Policy - An adjudication, based on any policies found in DMARC Results and DMARC Results on Base Domain, of the relevant DMARC subdomain policy that applies.
  • DMARC Policy Percentage - The percentage of mail that should be subjected to the DMARC Policy according to the DMARC Results.
  • DMARC Aggregate Report URIs - A list of the DMARC aggregate report URIs specified by the domain.
  • DMARC Forensic Report URIs - A list of the DMARC forensic report URIs specified by the domain.
  • DMARC Has Aggregate Report URI - A boolean value that indicates if DMARC Results included rua URIs that tell recipients where to send DMARC aggregate reports.
  • DMARC Has Forensic Report URI - A boolean value that indicates if DMARC Results included ruf URIs that tell recipients where to send DMARC forensic reports.
  • DMARC Reporting Address Acceptance Error - A boolean value that is True if one or more of the domains listed in the aggregate and forensic report URIs does not indicate that it accepts DMARC reports from the domain being tested.

Everything else

  • Syntax Errors - A list of syntax errors that were encountered when analyzing SPF records.
  • Debug Info - A list of any other warnings or errors encountered, such as DNS failures. These can be helpful when determining how trustymail reached its conclusions, and are indispensible for bug reports.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for details.

License

This project is in the worldwide public domain.

More Repositories

1

RedEye

RedEye is a visual analytic tool supporting Red & Blue Team operations
TypeScript
2,654
star
2

ScubaGear

Automation to assess the state of your M365 tenant against CISA's baselines
Open Policy Agent
1,580
star
3

Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.
Python
1,504
star
4

cset

Cybersecurity Evaluation Tool
TSQL
1,424
star
5

Sparrow

Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
PowerShell
1,371
star
6

log4j-scanner

log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
Java
1,262
star
7

log4j-affected-db

A community sourced list of log4j-affected software
Shell
1,115
star
8

CHIRP

A DFIR tool written in Python.
Python
1,040
star
9

decider

A web application that assists network defenders, analysts, and researchers in the process of mapping adversary behaviors to the MITRE ATT&CK® framework.
HTML
1,021
star
10

LME

Logging Made Easy (LME) is a no-cost and open logging and protective monitoring solution serving all organizations.
Python
795
star
11

untitledgoosetool

Untitled Goose Tool is a robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments.
Python
699
star
12

pshtt

Scan domains and return data based on HTTPS best practices
Python
670
star
13

crossfeed

External monitoring for organization assets
TypeScript
320
star
14

ESXiArgs-Recover

A tool to recover from ESXiArgs ransomware
Shell
292
star
15

bad-practices

CISA's catalog of bad practices that are exceptionally risky.
Shell
181
star
16

development-guide

A set of guidelines and best practices for an awesome engineering team
Python
180
star
17

ScubaGoggles

SCuBA Secure Configuration Baselines and assessment tool for Google Workspace
Open Policy Agent
148
star
18

cyber.dhs.gov

A site for CISA directives
SCSS
138
star
19

dotgov-data

Official list of .gov domains
108
star
20

check-cve-2019-19781

Test a host for susceptibility to CVE-2019-19781
Python
105
star
21

ICSNPP

Industrial Control Systems Network Protocol Parsers
104
star
22

findcdn

findCDN is a tool created to help accurately identify what CDN a domain is using.
Python
95
star
23

prescup-challenges

President's Cup Cybersecurity Competition Challenges
Python
78
star
24

shareable-soar-workflows

This is a repository of vendor-agnostic workflows provided for those interested in deploying Security Orchestration, Automation, and Response capabilities within their organizations.
74
star
25

parsnip

Python
68
star
26

ansible-role-cobalt-strike

An Ansible role for installing Cobalt Strike.
HCL
66
star
27

cybersecurity-performance-goals

CISA's space for collaboration on the Cybersecurity Performance Goals.
Shell
53
star
28

PNT-Integrity

The PNT Integrity Library provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
C++
49
star
29

join-cisagov

CISA is hiring! We’re looking for candidates passionate about our mission to lead the national effort to understand and manage cyber and physical risk to our critical infrastructure.
Shell
45
star
30

gophish-tools

Helpful tools for interacting with a GoPhish phishing instance
Python
42
star
31

gophish-docker

Docker container for the gophish phishing framework.
Shell
40
star
32

ioc-scanner

Search a filesystem for indicators of compromise (IoC).
Python
39
star
33

pca-gophish-composition

Phishing campaign docker composition for Gophish
Shell
34
star
34

vdp-in-fceb

Vulnerability disclosure policies in the US Government's executive branch
32
star
35

Epsilon

The Epsilon Algorithm Suite provides users a method to verify the integrity of the received GPS data and ranging signals, thereby improving resiliency against potential GPS signal loss.
Python
31
star
36

check-your-pulse

This utility can help determine if indicators of compromise (IOCs) exist in the log files of a Pulse Secure VPN Appliance for CVE-2019-11510.
Python
28
star
37

getgov

Building a new .gov registrar for a bright .gov future
Python
27
star
38

postfix-docker

Docker container with a postfix server designed for use during phishing campaigns
Shell
26
star
39

dotgov-home

Homepage for the .gov registry
SCSS
25
star
40

assessment-reporting-engine

Python
24
star
41

skeleton-python-library

A skeleton project for quickly getting a new cisagov Python library started.
Python
19
star
42

scanner

Automated pshtt, trustymail, and sslyze scanning
Shell
18
star
43

cyhy_amis

AWS infrastructure for Cyber Hygiene and BOD 18-01 scanning
HCL
16
star
44

skeleton-docker

A skeleton project for quickly getting a new cisagov Docker container started.
Shell
15
star
45

admiral

Distributed certificate transparency log harvester
Python
14
star
46

icsnpp-opcua-binary

Zeek OPCUA Binary Parser - CISA ICSNPP
JavaScript
13
star
47

pe-reports

Automated process to build and distribute Posture & Exposure Reports' bi-weekly to customers.
Python
13
star
48

icsnpp-enip

Zeek Ethernet/IP and CIP Parser - CISA ICSNPP
Zeek
13
star
49

icsnpp-bacnet

Zeek BACnet Parser - CISA ICSNPP
JavaScript
12
star
50

ansible-role-clamav

Ansible role to install and enable the ClamAV virus scanner
Shell
12
star
51

lambda_functions

Generate AWS Lambda environment zip files for use by cisagov/domain-scan
Shell
12
star
52

icsnpp-s7comm

Zeek S7comm, S7comm-plus, and COTP Parser - CISA ICSNPP
JavaScript
11
star
53

network-architecture-verification-and-validation

The NAVV (Network Architecture Verification and Validation) tool creates a spreadsheet for network traffic analysis from PCAP data and Zeek logs, automating Zeek analysis of PCAP files, the collation of Zeek logs and the dissection of conn.log and dns.log to create a summary or network traffic in an XLSX-formatted spreadsheet.
Python
11
star
54

docker-kali-ansible

A systemd-enabled Kali Linux Docker image, in the spirit of geerlingguy/docker-debian11-ansible.
Dockerfile
10
star
55

tic3.0

Collaborating on Trusted Internet Connection 3.0 use cases
10
star
56

icsnpp-genisys

Industrial Control Systems Network Protocol Parsers (ICSNPP) - Genisys over TCP/IP
Python
10
star
57

gh-skeleton

This extension for the gh CLI provides the ability to easily start new projects from our existing library of skeleton repositories.
Shell
10
star
58

scoping-validation-tool

SVT is a tool that can be used to verify ownership and location of assets during the scoping process of a penetration test.
Python
9
star
59

orchestrator

Orchestrate gatherer, scanner, saver, and trustymail_reporter
Shell
9
star
60

pshtt_reporter

Generate HTTPS reports based on scan data
Python
9
star
61

cyhy-mailer

Email Cyber Hygiene, Trustworthy Email, and HTTPS reports to the appropriate technical or distribution addresses
Python
9
star
62

trustymail_reporter

Generate Trustworthy Email reports based on scan data
Python
9
star
63

pre-commit-packer

Provides pre-commit hooks for Packer projects.
Shell
9
star
64

nessus-packer

Create machine images containing the Nessus vulnerability scanner
HCL
9
star
65

domain-manager-api

Flask API for Domain Manager
Python
9
star
66

gatherer

Gather domains as a precursor to scanning
Shell
9
star
67

certboto-docker

Certbot container that stores its configuration in an AWS S3 bucket
Shell
9
star
68

icsnpp-modbus

Zeek Modbus Extension Scripts - CISA ICSNPP
Zeek
8
star
69

ansible-role-kali

An Ansible role for provisioning kali
HCL
8
star
70

aws-profile-sync

Synchronize AWS credential profiles from remote sources
Python
8
star
71

icsnpp-dnp3

Zeek DNP3 Extension Scripts - CISA ICSNPP
Zeek
8
star
72

dmarc-import

A tool for parsing DMARC aggregate reports.
Python
8
star
73

icsnpp-bsap-ip

Zeek BSAP over IP Parser - CISA ICSNPP
JavaScript
8
star
74

CISASuite

The CSET, Malcom, Con-PCA suite of tools
HTML
8
star
75

skeleton-generic

A generic skeleton project for quickly getting a new cisagov project started.
Shell
8
star
76

icsnpp-ethercat

Zeek Ethercat Parser - CISA ICSNPP
C++
8
star
77

Sogu

This script generates a list of possible SOGU filenames based on serial numbers of active drives. It has the added functionality of searching each drive from the generated file list.
PowerShell
8
star
78

PNT-Integrity-Toolkit

The PNT Integrity DIY Toolkit describes how a perspective end-user of the PNT Integrity Library can assemble a demonstrational toolkit with commercial-off-the-shelf (COTS) hardware.
C++
7
star
79

travis-wait-improved

A tool to help long-running, yet reticent, processes avoid death at the hands of Traivs-CI.
Python
7
star
80

con-pca-api

API Docker Container for Con-PCA
HTML
7
star
81

.dotfiles

Generic set of dotfiles to get you started with a cisagov development environment
Shell
7
star
82

domain-manager-ui

UI for the Domain Manager
HTML
7
star
83

pen-testing-findings

A collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses that may be discovered during a penetration test.
7
star
84

vulnerable-instances

Virtual machines that are set up with a variety of known vulnerabilities.
HCL
7
star
85

scan-target-data

Contains data used to identify targets for scanning
Shell
6
star
86

openvpn-server-tf-module

Terraform module to create an OpenVPN server instance
HCL
6
star
87

ansible-role-burp-suite-pro

An Ansible role for installing Burp Suite Professional
HCL
6
star
88

con-pca-web

The website source and terraform code for continuous phishing assessment.
HTML
6
star
89

security-contact-finder

Making government security contacts accessible
CSS
6
star
90

con-pca-cicd

continuous phishing main repository
HCL
6
star
91

flare-misp-service

Automate the regular transfer of AIS data into a MISP Server
Java
6
star
92

saver

Save scan results to a database
Python
6
star
93

megazord-composition

Shell
6
star
94

ansible-role-openvpn

Ansible role to install an OpenVPN server and configure it to authenticate users certificates against FreeIPA.
Shell
6
star
95

ansible-role-amazon-efs-utils

An Ansible role for installing aws/efs-utils
Shell
5
star
96

awssh

Tool to simplify secure shell connections over AWS simple systems manager.
Python
5
star
97

sslyze-lambda

AWS Lambda function for sslyze
Python
5
star
98

cyhy-core

Python
5
star
99

ncats-data-dictionary

Shell
5
star
100

cool-assessment-terraform

Terraform to deploy an assessment environment to the COOL
HCL
5
star